Showing preview only (1,285K chars total). Download the full file or copy to clipboard to get everything.
Repository: thomasjball/PyExZ3
Branch: master
Commit: 7dac957d57bd
Files: 140
Total size: 1.2 MB
Directory structure:
gitextract_nf65lu9d/
├── .gitattributes
├── .gitignore
├── README.md
├── TODO.md
├── Vagrantfile
├── copyright.txt
├── fail/
│ ├── arrayindex.py
│ ├── dictbool.py
│ ├── divzero.py
│ ├── git.py
│ ├── pow.py
│ └── sqrttest.py
├── marktoberdorf_paper/
│ ├── DSE/
│ │ ├── CodeReview.pptx
│ │ ├── DSE.mdk
│ │ ├── IOS-Book-Article.cls
│ │ ├── cpp2.json
│ │ ├── dse.bib
│ │ ├── ignores.dic
│ │ └── out/
│ │ └── DSE.tex
│ ├── DSE.html
│ └── forPublisher/
│ ├── IOS-Book-Article.cls
│ ├── css.sty
│ ├── dse.tex
│ └── madoko.sty
├── marktoberdorf_slides/
│ ├── CodeReview.pptx
│ ├── Marktoberdorf2014_1.pptx
│ ├── Marktoberdorf2014_2.pptx
│ ├── Marktoberdorf2014_3.pptx
│ ├── Marktoberdorf2014_4.pptx
│ ├── collatz.py
│ └── examples/
│ ├── adder.py
│ ├── automata.py
│ ├── check_adder.py
│ ├── check_mult.py
│ ├── first.py
│ ├── hats.py
│ ├── mult.py
│ └── mult2.py
├── pyexz3.py
├── run_tests.py
├── setup.bat
├── setup.sh
├── symbolic/
│ ├── __init__.py
│ ├── args.py
│ ├── constraint.py
│ ├── cvc_expr/
│ │ ├── __init__.py
│ │ ├── exprbuilder.py
│ │ ├── expression.py
│ │ ├── integer.py
│ │ └── string.py
│ ├── cvc_wrap.py
│ ├── explore.py
│ ├── invocation.py
│ ├── loader.py
│ ├── path_to_constraint.py
│ ├── predicate.py
│ ├── symbolic_types/
│ │ ├── __init__.py
│ │ ├── symbolic_dict.py
│ │ ├── symbolic_int.py
│ │ ├── symbolic_str.py
│ │ └── symbolic_type.py
│ ├── z3_expr/
│ │ ├── __init__.py
│ │ ├── bitvector.py
│ │ ├── expression.py
│ │ └── integer.py
│ └── z3_wrap.py
├── test/
│ ├── abs_test.py
│ ├── andor.py
│ ├── arrayindex2.py
│ ├── bad_eq.py
│ ├── bignum.py
│ ├── binary_search.py
│ ├── bitwidth.py
│ ├── complex.py
│ ├── cseppento1.py
│ ├── cseppento2.py
│ ├── cseppento3.py
│ ├── cvc/
│ │ ├── effectivebool.py
│ │ ├── emptystr.py
│ │ ├── escape.py
│ │ ├── none.py
│ │ ├── strcontains.py
│ │ ├── strcount.py
│ │ ├── strfind.py
│ │ ├── strfindbeg.py
│ │ ├── strindex.py
│ │ ├── stringadd.py
│ │ ├── stringtest.py
│ │ ├── strmiddle.py
│ │ ├── strreplace.py
│ │ ├── strslice.py
│ │ ├── strsplit.py
│ │ ├── strstartswith.py
│ │ ├── strstrip.py
│ │ └── strsubstring.py
│ ├── decorator.py
│ ├── decorator_dict.py
│ ├── diamond.py
│ ├── dict.py
│ ├── dictionary.py
│ ├── elseif.py
│ ├── expand.py
│ ├── expressions.py
│ ├── filesys.py
│ ├── fp.py
│ ├── gcd.py
│ ├── hashval.py
│ ├── len_test.py
│ ├── lib/
│ │ ├── __init__.py
│ │ ├── bsearch.py
│ │ └── se_dict.py
│ ├── list.py
│ ├── logical_op.py
│ ├── loop.py
│ ├── many_branches.py
│ ├── maxtest.py
│ ├── mod.py
│ ├── modulo.py
│ ├── modulo2.py
│ ├── mult_assmt.py
│ ├── polyspace.py
│ ├── power.py
│ ├── power2.py
│ ├── powtest.py
│ ├── reverse.py
│ ├── set.py
│ ├── shallow_branches.py
│ ├── simple.py
│ ├── swap.py
│ ├── tmp
│ ├── tuplecmp.py
│ ├── unnecessary_condition.py
│ ├── unnecessary_condition2.py
│ ├── unnecessary_condition3.py
│ ├── unnecessary_condition4.py
│ ├── weird.py
│ └── whileloop.py
├── tools/
│ └── symbolic_int_subtype.py
├── utils.py
└── vagrant.sh
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
# Custom for Visual Studio
*.cs diff=csharp
*.sln merge=union
*.csproj merge=union
*.vbproj merge=union
*.fsproj merge=union
*.dbproj merge=union
# Standard to msysgit
*.doc diff=astextplain
*.DOC diff=astextplain
*.docx diff=astextplain
*.DOCX diff=astextplain
*.dot diff=astextplain
*.DOT diff=astextplain
*.pdf diff=astextplain
*.PDF diff=astextplain
*.rtf diff=astextplain
*.RTF diff=astextplain
================================================
FILE: .gitignore
================================================
#################
## Eclipse
#################
*.pydevproject
.project
.metadata
bin/
tmp/
*.tmp
*.bak
*.swp
*~.nib
local.properties
.classpath
.settings/
.loadpath
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# CDT-specific
.cproject
# PDT-specific
.buildpath
#################
## Visual Studio
#################
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
#############
## Windows detritus
#############
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
#############
## Python
#############
*.py[co]
# Packages
*.egg
*.egg-info
dist/
build/
eggs/
parts/
var/
sdist/
develop-eggs/
.installed.cfg
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
.tox
#Translations
*.mo
#Mr Developer
.mr.developer.cfg
# PyEx stuff
se_normalized/
logfile
stdout
*.out
*.py#
#stdout#
#stdout.old#
#tmp#
*.dot
tmp.txt
#############
## Vagrant
#############
.vagrant
#############
## PyCharm
#############
.idea
================================================
FILE: README.md
================================================
PyExZ3
======
### Python Exploration with Z3
This code is a substantial rewrite of the NICE project's
(http://code.google.com/p/nice-of/) symbolic execution engine for
Python, now using the Z3 theorem prover (http://z3.codeplex.com). We have
removed the NICE-specific dependences, platform-specific code, and
made various improvements, documented below, so it can be used
by anyone wanting to experiment with dynamic symbolic execution.
The paper [Deconstructing Dynamic Symbolic Execution](http://research.microsoft.com/apps/pubs/?id=233035)
explains the basic ideas behind dynamic symbolic execution and the architecture
of the PyExZ3 tool (as of git tag v1.0). Bruni, Disney and Flanagan wrote about
encoding symbolic execution for Python in Python in the same way in their 2008 paper
[A Peer Architecture for Lightweight Symbolic Execution](http://hoheinzollern.files.wordpress.com/2008/04/seer1.pdf) - they use proxies rather than multiple inheritance for representing symbolic versions of Python types.
In the limit, **PyExZ3** attempts to *explore* all the feasible paths in a
Python function by:
- executing the function on a concrete input to trace a path through the control flow of the function;
- symbolic executing the path to determine how its conditions depend on the function's input parameters;
- generating new values for the parameters to drive the function to yet uncovered paths, using Z3.
For small programs without loops or recursion,
**PyExZ3** may be able to explore all feasible paths.
A novel aspect of the rewrite is to rely solely on Python's operator
overloading to accomplish all the interception needed for symbolic
execution; no AST rewriting or bytecode instrumentation is required,
This significantly improves the robustness and portability of **PyExZ3**,
as well as reducing its size.
### Setup instructions:
- Make sure that you use Python 32-bit (64-bit) if-and-only-if you use the Z3 32-bit (64-bit) binaries.
Testing so far has been on Python 3.2.3 and 32-bit.
- Install Python 3.2.3 (https://www.python.org/download/releases/3.2.3/)
- Install the latest "unstable" release of Z3 to directory Z3HOME from http://z3.codeplex.com/releases
(click on the "Planned" link on the right to get the latest binaries for all platforms)
- Add Z3HOME\bin to PATH and PYTHONPATH
- MacOS: setup.sh for Homebrew default locations for Python and Z3; see end for MacOS specific instructions
- Optional:
-- install GraphViz utilities (http://graphviz.org/)
### Check that everything works:
- `python run_tests.py test` should pass all tests
- `python pyexz3.py test\FILE.py` to run a single test from the test directory
### Usage of PyExZ3
- **Basic usage**: give a Python file `FILE.py` as input. By default, `pyexz3` expects `FILE.py`
to contain a function named `FILE` where symbolic execution will start:
- `pyexz3 FILE.py`
- **Starting function**: You can override the default starting function with `--start MAIN`,
where `MAIN` is the name of a function in `FILE`:
- pyexz3 `--start=MAIN` FILE.py
- **Bounding the number of iterations** of the path exploration is essential when
analyzing functions with loops and/or recursion. Specify a bound using the `max-iters` flag:
- pyexz3 `--max-iters=42` FILE.py
- **Arguments to starting function**: by default, pyexz3 associates a symbolic integer
(with initial value 0) for each parameter of the starting function. Import from
`symbolic.args` to get the `@concrete` and `@symbolic` decorators that let you override
the defaults on the starting function:
```
from symbolic.args import *
@concrete(a=1,b=2)
@symbolic(c=3)
def startingfun(a,b,c,d):
...
```
The `@concrete` decorator declares that a parameter will not be treated symbolically and
provides an initial value for the parameter.
The `@symbolic` decorator declares that a parameter will be treated symbolically - the type
of the associated initial value for the argument will be used to determine the proper symbolic
type (if one exists). In the above example, parameters `a` and `b` are treated concretely
and will have initial values `1` and `2` (for all paths explored), and parameter `c` will
be treated as a symbolic integer input with the initial value `3` (its value can change after
first path has been explored). Since parameter `d` is not specified, it will be treated as a symbolic
integer input with the initial value 0:
- **Output**: `pyexz3` prints the list of generated inputs and corresponding observed
return values to standard out; the lists of generated inputs and the corresponding return values are
returned by the exploration engine to `pyexz3` where they can be used for other
purposes, as described below.
- **Expected result functions** are used for testing of `pyexz3`. If the `FILE.py` contains a function named `expected_result` then after path exploration is complete, the list of return values will be compared against the list
returned by `expected_result`. More precisely, the two lists are converted into bags and the bags compared for equality. If a function named `expected_result_set` is present instead, the list are converted into sets and the sets are
compared for equality. List equality is too strong a criteria for testing, since small changes to programs can lead to paths being explored in different orders.
- **Import behavior**: the location of the `FILE.py` is added to the import path so that all imports in `FILE.py`
relative to that file will work.
- **Other options**
- `--graph=DOTFILE`
- `--log=LOGFILE`
### MacOS specific
1. Grab yourself a Brew at http://brew.sh/
2. Get the newest python or python3 version: `brew install python`
3. Have the system prefer brew python over system python: `echo export PATH='/usr/local/bin:$PATH' >> ~/.bash_profile` -
4. Get z3: `brew install homebrew/science/z3`
5. Clone this repository: `git clone https://github.com/thomasjball/PyExZ3.git`
6. Set the PATH: `. PyExZ3/setup.sh` (do not run the setup script in a subshell `./ PyExZ3/`)
### Vagrant specific
[Vagrant](http://www.vagrantup.com/) is a cross-platform tool to manage
virtualized development environments. Vagrant runs on Windows, OS X, and
Linux and can manage virtual machines running on VirtualBox, VMware,
Docker, and Hyper-V.
1. [Download Vagrant](http://www.vagrantup.com/downloads.html).
2. Install [VirtualBox](https://www.virtualbox.org/) or configure an
[alternative
provider](http://docs.vagrantup.com/v2/providers/index.html).
3. Run `vagrant up` from the PyExZ3 directory. The Vagrantfile in the
repository tells Vagrant to download a Debian base image, launch it with
the default provider (VirtualBox), and run the script `vagrant.sh` to
provision the machine.
4. Once the provisioning is done you can SSH into the machine using
`vagrant ssh` and PyExZ3 is ready to run. Please note that the
provisioning takes a while as Git is compiled from source as Debian's
Git is incompatible with [CodePlex](http://www.codeplex.com/) where Z3
is hosted.
### CVC SMT Solver
By default PyExZ3 uses the Z3 to solve path predicates. Optionally, the
[CVC SMT](http://cvc4.cs.nyu.edu/web/) solver can be enabled with the
`--cvc` argument. While the two solvers offer a similar feature set, the
integration of CVC differs from Z3 in a number of ways. Most
predominately, the CVC integration uses an unbounded rational number
representation for Python numbers, converting to bit vectors only for
bitwise operations. The Z3 integration uses bounded bit vectors for all
numbers. For programs that use any significant number of bitwise
operations, the default Z3-based configuration is strongly recommended.
Additionally, CVC does not support generating models for non-linear
relationships causing a few of the included PyExZ3 test cases to fail
with a `LogicException`.
================================================
FILE: TODO.md
================================================
TODO List
=========
- add basic support for SymbolicDictionary
-
- need to capture exceptions thrown by code under test as test results
- interesting question arises about re-initialization of input arguments
by ExplorationEngine and re-import of module under test in the face of
mutable initial objects - we want the re-import to be done before the
re-initialization, but that's not how it currently works. Easiest thing
to do is only allow empty dictionary to be specified in @symbolic
- check input/output behavior separately from sym_exe
- use consist case on names (Caml or C, choose one)
================================================
FILE: Vagrantfile
================================================
# -*- mode: ruby -*-
# vi: set ft=ruby :
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.define "linux", primary: true do |v|
v.vm.provision "shell", path: "vagrant.sh"
v.vm.box = "chef/debian-7.4"
end
config.vm.provider "virtualbox" do |v|
v.memory = 1024
end
end
================================================
FILE: copyright.txt
================================================
# Files that mention copyright.txt were derived from the NICE project
#
# Copyright (c) 2011, EPFL (Ecole Politechnique Federale de Lausanne)
# All rights reserved.
#
# Created by Marco Canini, Daniele Venzano, Dejan Kostic, Jennifer Rexford
#
# Updated by Thonas Ball (2014)
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# - Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# - Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# - Neither the names of the contributors, nor their associated universities or
# organizations may be used to endorse or promote products derived from this
# software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
================================================
FILE: fail/arrayindex.py
================================================
A = [0, 1]
# the index operation A[i] uses the underlying runtime representation
# of the Python int, so we have no way of capturing this "conditional
# through lookup" operation via inheritance from int, as done with
# SymbolicInteger
# see test\arrayindex2.py for the rewriting we would need to do
# to make the lookup explicit (greatly expanding the search space)
def arrayindex(i):
if A[i]:
return A[i]
else:
return "OTHER"
def expected_result():
return [ 1, "OTHER" ]
================================================
FILE: fail/dictbool.py
================================================
from symbolic.args import *
@symbolic(d={})
def dictbool(d):
x = d or {}
if x == {}:
return 0
return 1
def expected_result():
return [0, 1]
================================================
FILE: fail/divzero.py
================================================
# this one fails because we always start with zero for SymbolicIntegers
# we should have a few seed values to avoid this.
def divzero(in1,in2):
try:
if in1 / in2 >= 0:
return 1
elif in1 / in2 < 0:
return 2
return 0
except:
return "DIVZERO"
def expected_result():
return [0,1,2,"DIVZERO"]
================================================
FILE: fail/git.py
================================================
from symbolic.args import *
@symbolic(a=0xdeaddeaddeaddead,b=0xbeefbeefbeefbeef)
def git(a,b):
i=0;
passkeyn=[a,b]
expandedkey=[]
while i<6:
# while i<2: # WORKS
expandedkey=expandedkey+passkeyn
i=i+1
v1=passkeyn[0]
v2=passkeyn[1]
v3=(v1>>0x30)|(((v1>>0x20)&0xffff)<<0x10)|(((v1>>0x10)&0xffff)<<0x20)|((v1&0xffff)<<0x30)
v4=(v2>>0x30)|(((v2>>0x20)&0xffff)<<0x10)|(((v2>>0x10)&0xffff)<<0x20)|((v2&0xffff)<<0x30)
v5 = ((v4 & 0xFFFFFF8000000000) >> 39) | ((v3 << 25)&0xffffffffffffffff);
v6 = ((v3 & 0xFFFFFF8000000000) >> 39) | ((v4 << 25)&0xffffffffffffffff);
v1=(v5>>0x30)|(((v5>>0x20)&0xffff)<<0x10)|(((v5>>0x10)&0xffff)<<0x20)|(((v4 & 0xFFFFFF8000000000) >> 39)<<0x30)
v2=(v6>>0x30)|(((v6>>32)&0xffff)<<0x10)|(((v6>>0x10)&0xffff)<<0x20)|(((v3 & 0xFFFFFF8000000000) >> 39)<<0x30)
passkeyn=[v1,v2]
expandedkey=expandedkey+passkeyn
print(expandedkey)
if expandedkey==[16045725885737590445, 13758425323549998831, 7044313620519854103485, 8215411798635391606653, 8245388070021240879798, 3384596836810669685695, 9287860625795901259255, 4527376222128629444341, 4093654381503457390331, 4647353382867023162077, 8665057901351565392853, 8816957627389395711965, 6783497306152038280055, 9291067819851303074799]:
# WORKS
# if expandedkey==[16045725885737590445, 13758425323549998831, 7044313620519854103485, 8215411798635391606653, 8245388070021240879798, 3384596836810669685695]:
print("HERE")
return 1
else:
print("THERE")
return 2
if __name__ == "__main__":
git(0xdeaddeaddeaddead,0xbeefbeefbeefbeef)
================================================
FILE: fail/pow.py
================================================
# this one fails because we treat the operator ** concretely rather than symbolically
# so that the concrete value 0**2 is substituted in place of x**2.
# As a result, we never get to calling the theorem prover
def pow(x):
if 4 == x**2:
return "POW"
else:
return "OTHER"
def expected_result():
return [ "OTHER", "POW" ]
================================================
FILE: fail/sqrttest.py
================================================
from math import sqrt
# sqrt is handled concretely, just as with pow (**)
def sqrttest(in1):
if sqrt(in1) == 0:
return 1
elif sqrt(in1) > 0:
return 2
return 0
def expected_result():
return [1,2]
================================================
FILE: marktoberdorf_paper/DSE/DSE.mdk
================================================
Title : Deconstructing Dynamic Symbolic Execution
Author : Thomas Ball, Jakub Daniel
Affiliation : Microsoft Research, Charles University
Email : tball@microsoft.com, jakub.daniel@d3s.mff.cuni.cz
Doc Class : IOS-Book-Article.cls
Colorizer : javascript
Colorizer : cpp
Colorizer : cpp2
Bib style : plainnat
Bibliography: dse
Heading base: 2
.rulename : replace=/(.*)/(\1)/ font-variant=small-caps
~MathPre,.math-inline,.math-display: replace=/=\^=/{~\buildrel\triangle\over=~}/g
~MathPre,.math-inline,.math-display,~Equation: replace=/\bSt\b/\sigma/g
~Pre,~Code: language=python
.code2 : language=cpp2
.language-cpp2 : replace="/\b([TR])(')?(_.)?/\(T|$\1\2\3$\)/g"
~ HtmlOnly
[TITLE]
~
~ TexRaw
\begin{frontmatter} % The preamble begins here.
%\pretitle{Pretitle}
\title{Deconstructing Dynamic Symbolic Execution}
%\runningtitle{IOS Press Style Sample}
%\subtitle{Subtitle}
\author[A]{\fnms{Thomas} \snm{Ball}}
and
\author[B]{\fnms{Jakub} \snm{Daniel}}
\runningauthor{Thomas Ball et al.}
\address[A]{Microsoft Research}
\address[B]{Charles University}
~
~ Abstract
Dynamic symbolic execution (DSE) is a well-known technique
for automatically generating tests to achieve higher levels
of coverage in a program. Two keys ideas of DSE are
to: (1) seed symbolic execution by executing a program on an
initial input; (2) use concrete values from the program
execution in place of symbolic expressions whenever symbolic
reasoning is hard or not desired. We describe
DSE for a simple core language and then present
a minimalist implementation of DSE for Python (in Python)
that follows this basic recipe. The code is available
at https://www.github.com/thomasjball/PyExZ3/ (tagged "v1.0")
and has been designed to make it easy to experiment with and
extend.
~
~ TexRaw
\begin{keyword}
Symbolic Execution, Automatic Test Generation, White-box Testing, Automated
Theorem Provers
\end{keyword}
\end{frontmatter}
\thispagestyle{empty}
\pagestyle{empty}
~
[PyExZ3]: https://github.com/thomasjball/PyExZ3/
[Z3]: http://z3.codeplex.org/
[MRO]: https://www.python.org/download/releases/2.3/mro/
# Introduction { #sec-intro }
~ MathDefs
\defcommand{\mathkw}[1]{\textbf{#1}}
~
<!-- should we motivate more? -- this dives in deep very quickly -->
Static, path-based symbolic execution explores one control-flow path
at a time through a (sequential) program $P$, using an automated theorem
prover (ATP) to determine if the current path $p$ is feasible [@King76;@Clarke76].
Ideally, symbolic execution of a path $p$ through program
$P$ yields a logic formula $\phi_p$ that describes the set of inputs $I$ (possibly empty)
to program $P$ such that for any $i \in I$, the execution $P(i)$ follows path $p$.
If the formula $\phi_p$ is unsatisfiable then $I$ is empty and so path $p$ is not feasible;
if the formula is satisfiable then $I$ is not empty and so path $p$ is feasible.
In this case, a model of $\phi_p$ provides a witness $i \in I$. Thus, a model-generating ATP
can be used in conjunction with
symbolic execution to automatically generate tests to cover paths
in a program. Combined with a search strategy, one gets, in the limit,
an exhaustive white-box testing procedure, for which there are many
applications [@CadarGPDE06; @GodefroidLM12; @CadarS13].
The formula $\phi_p$ is called a *path-condition* of the path $p$.
We will see that a given path $p$ can induce many different path-conditions.
A path-condition $\psi_p$ for path $p$ is *sound* if
every input assignment satisfying $\psi_p$ defines an
execution of program $P$ that follows path $p$ [@Godefroid11].
By its definition, the formula $\phi_p$ is sound and the best representation of $p$
(as for all sound path-conditions $\psi_p$, we have that $\psi_p \implies \phi_p$).
In practice, we attempt to compute sound under-approximations of $\phi_p$
such as $\psi_p$. However, we also find it necessary (and useful) to
compute unsound path-conditions.
A path-condition can be translated into the input
language of an ATP, such as [Z3][Z3][@deMouraB08], which provides an answer
of "unsatisfiable", "satisfiable" or "unknown", due to theoretical or practical
limitations in automatically deciding satisfiability of various logics.
In the case that the ATP is able to prove "satisfiable" we can query it for
satisfying model in order to generate test inputs. A path-condition
for $p$ can be thought of as function from a
program's primary inputs to a Boolean output representing whether
or not $p$ is executed under a given input. Thus, we are asking
the ATP to invert a function when we ask it to decide
the satisfiability/unsatisfiability of a path-condition.
The static translation of a path $p$ through a program $P$ into
the most precise path-condition $\phi_p$ is not a simple task, as
programming languages and their semantics are very complex.
Completely characterizing the set of inputs $I$ that follow
path $p$ means providing a symbolic interpretation of
every operation in the language so that the
ATP can reason about it. For example, consider a method call in Python.
Python's algorithm for method resolution order (see [MRO])
depends on the inheritance hierarchy of the program, a directed,
acyclic graph that can evolve during program execution. Symbolically
encoding Python's method resolution order is possible but non-trivial.
There are other reasons it is hard or undesirable to symbolically
execute various operations, as will be explained in detail later.
## Dynamic symbolic execution
*Dynamic* symbolic execution (DSE) is a form of path-based
symbolic execution based on two insights. First, the approach
starts by executing program $P$ on
some input $i$, seeding the symbolic execution process
with a feasible path [@Korel90;@Korel92;@Gupta00].
Second, DSE
uses concrete values from the execution $P(i)$ in place of symbolic expressions
whenever symbolic reasoning is not possible or desired [@GodefroidKS05;@CadarE05].
The major benefit of DSE is to
simplify the construction of a symbolic execution tool by
leveraging concrete execution behavior (given by
actually running the program).
As DSE combines both
concrete and symbolic reasoning, it also has been called "concolic"
execution [@SenACAV06].
~ Figure { #fig-DSE caption="Pseudo-code for dynamic symbolic execution" }
```
i = an input to program P
while defined(i):
p = path covered by execution P(i)
cond = pathCondition(p)
s = ATP(Not(cond))
i = s.model()
```
~
The pseudo-code of Figure [#fig-DSE] shows the high level process
of DSE. The variable `i` represents an input
to program `P`. Execution of program `P` on the input `i`
traces a path `p`, from which
a logical formula `pathCondition(p)` is constructed.
Finally, the ATP is called with the negation of the path-condition
to find a new input (that hopefully will cover a new path). This
pseudo-code elides a number of details that we will deal with later.
~ Figure { #fig-easy-DSE caption="Easy example: computing the maximum of four numbers in Python."}
```
def max2(s,t):
if (s < t):
return t
else:
return s
def max4(a,b,c,d):
return max2(max2(a,b),max2(c,d))
```
~
Consider the Python function `max4` in Figure [#fig-easy-DSE],
which computes the maximum of four numbers via three calls to
the function `max2`. Suppose we execute `max4` with values
of zero for all four arguments. In this case, the
execution path $p$ contains three comparisons (in the order `(a < b)`,
`(c < d)`, `(a < c)`), all of which evaluate false.
Thus, the path-condition for path $p$ is `(not(a<b) and not(c<d) and not(a < c))`.
Negating this condition yields `((a<b) or (c<d) or (a<c))`.
Taking the execution ordering of the three comparisons into account, we
derive three expressions from the negated path-condition to generate
new inputs that will explore execution prefixes of path $p$ of increasing length:
* *length 0*: `(a<b)`
* *length 1*: `not (a<b) and (c<d)`
* *length 2*: `not (a<b) and not (c<d) and (a<c)`
The purpose of taking execution order into account should be clear, as the
comparison `(a<c)` only executes in the case where `(not (a<b) and not (c<d))`
holds. Integer solutions to the above three systems of constraints are:
* `a == 0 and b == 2 and c == 0 and d == 0`
* `a == 0 and b == 0 and c == 0 and d == 3`
* `a == 0 and b == 0 and c == 2 and d == 0`
In the three cases above, we sought solutions that kept as many of
the variables as possible equal to the original input (in which
all variables are equal to 0). Execution of the `max4` function
on the input corresponding to the first solution produces the path-condition
`((a<b) and not(c<d) and not(b < c))`, from which we can produce more
inputs. For this (loop-free function), there are a finite number
of path-conditions. We leave it as an exercise to the reader to
enumerate them all.
## Leveraging concrete values in DSE
We now consider several situations where we can make use of concrete
values in DSE. In the realm of (unbounded-precision) integer arithmetic
(e.g., bignum integer arithmetic, as in Python 3.0 onwards),
it is easy to come up with tiny programs that will be *very difficult*,
if not *impossible*,
for any symbolic execution tool to deal with, such as the function `fermat3`
in Figure [#fig-fermat3].
~ Figure { #fig-fermat3 caption="Hard example for symbolic execution"}
```
def fermat3(x,y,z):
if (x > 0 and y > 0 and z > 0):
if (x*x*x + y*y*y == z*z*z):
return "Fermat and Wiles were wrong!?!"
return 0
```
~
Fermat's Last Theorem, proved
by Andrew Wiles in the late 20th century, states that no
three positive integers $x$, $y$, and $z$ can satisfy the equation
$x^n + y^n = z^n$ for any integer value of $n$ greater than two.
The function `fermat3` encodes this statement for $n=3$. It
is not reasonable to have a computer waste time trying to find
a solution that would cause `fermat3` to print the string
`"Fermat and Wiles were wrong!?!"`. In cases of complex (non-linear)
arithmetic operations,
such as `x*x*x`, we might choose to handle the operation concretely.
There are a number of ways to deal with the above issue: one is
to recognize all non-linear terms in a symbolic expression and replace
them with their concrete counterparts during execution. For the `fermat3`
example, this would mean that during DSE the symbolic expression
`(x*x*x + y*y*y == z*z*z)` would be reduced to the constant `False`
by evaluation on the concrete values of variables `x`, `y` and `z`.
Besides difficult operations (such as non-linear arithmetic),
other examples of code that we might treat
concretely instead of symbolically include
functions that are hard to invert, such as cryptographic hash functions,
or low-level functions that we do not wish to test (such as
operating system functions). Consider
the code in Figure [#fig-hash], which applies the function
`unknown` to argument `x` and compares it to argument `y`.
By using the name `unknown` we simply mean to say that we
wish to model this function as a black box, with no knowledge
of how it operates internally.
~ Figure { #fig-hash caption="Another hard example for symbolic execution"}
```
def dart(x,y):
if (unknown(x) == y):
return 1
return 0
```
~
In such a case, we can use DSE to execute the function `unknown`
on a specific input (say `5013`) and observe its output
(say `42`). That is, rather than execute `unknown` symbolically
and invoke an ATP to invert the function's path-condition, we
simply treat the call to `unknown` concretely, substituting
its return value (in this case `42`) for the specialized expression
`unknown(5013) == y` to get the predicate `(42 == y)`.
Adding the constraint `(x == 5013)` yields the sound but
rather specific path-condition
`(x == 5013) and (42 == y)`.
Note that the path-condition `(42 == y)` is not sound, as it admits
any value for the variable `x`, which likely includes many values
for which `(unknown(x) == y)` is false.
## Overview
This introduction elides many important
issues that arise in implementing DSE for a real language, which we will
focus on in the remainder of the paper. These include how to:
* Identify the code under test $P$ and the symbolic inputs to $P$;
* Trace the control flow path $p$ taken by execution $P(i)$;
* Reinterpret program operations to compute symbolic expressions;
* Generate a path-condition from $p$ and the symbolic expressions;
* Generate a new input $i'$ by negating (part of) the path-condition, translating
the path-condition to the input language of an ATP, invoking the ATP, and
lifting a satisfying model (if any) back up to the source level;
* Guide the search to expose new paths.
The rest of this paper is organized as follows. Section [#sec-semantics]
describes an instrumented typing discipline where we lift each type (representing
a set of concrete values) to a symbolic type (representing
a set of pairs of concrete and symbolic values).
Section [#sec-sp2dse] shows how strongest postconditions defines a symbolic
semantics for a small programming language and how strongest postconditions
can be refined to model DSE.
Section [#sec-impl] describes an implementation of DSE for the Python language
in the Python language that follows the instrumented semantics pattern closely
(full implementation and tests available at [PyExZ3], tagged "v1.0").
Section [#sec-int2z3] describes the symbolic encoding of Python integer
operations using two decision procedures of Z3: linear arithmetic with
uninterpreted functions in place of non-linear operations;
fixed-width bit-vectors with precise encodings of most operations.
Section [#sec-extensions] offers a number of ideas for projects
to extend the capabilities of [PyExZ3].
# Instrumented Types { #sec-semantics }
We are given a universe of classes/types $U$; a type $T \in U$ carries
along a set of operations that apply to values of type $T$,
where an operation $o \in T$ takes an argument list of typed
values as input (the first being of type $T$) and produces a single
typed value as output. Nullary (static) operations of type $T$ can be
used to create values of type $T$ (such as constants, objects, etc.)
A program $P$ has typed input variables
$v_1 : T_1 \ldots v_k : T_k$ and a body from the language of statements $S$:
~MathPre
S \rightarrow & v := E
| & @skip
| & S_1 ; S_2
| & @if E @then S_1 @else S_2 @end
| & @while E @do S @end
~
The language of expressions ($E$) is defined by the application of operations
to values, where constants (nullary operations) and
program variables form the leaves
of the expression tree and non-nullary operators
form the interior nodes of the tree.
For now, we will consider all values to be immutable.
That is, the only source of mutation in the language is the
assignment statement.
To introduce symbolic execution into the picture,
we can imagine that a type $T \in U$ has
(one or more) counterparts in a symbolic universe $U'$. A type $T' \in U'$
is a subtype of $T \in U$ with two purposes:
* First, a value of type $T'$ represents a pair of values:
a concrete value $c$ of (super)type $T$ and a symbolic expression $e$.
A symbolic expression is a tree
whose leaves are either nullary operators (i.e., constants) of a type in $U$
or are Skolem constants representing the (symbolic) inputs ($v_1 \ldots v_k$)
to the program $P$, and whose interior nodes represent operations
from types in $U$. We refer to Skolem constants as "symbolic constants"
from this point on. Note that symbolic expressions do not contain
references to program variables.
* Second, the type $T'$ redefines some of the operations $o \in T$,
namely those for which we wish to compute symbolic expressions.
An operation $o \in T'$ has the same parameter list as $o \in T$, allowing it
to take inputs with types from both $U$ and $U'$. The return type
of $o \in T'$ generally is from $U'$ (though it can be from $U$).
Thus, $o \in T'$ is a proper function subtype of $o \in T$.
The purpose of $o \in T'$ is to:
(1) perform operation $o \in T$ on the concrete
values associated with its inputs;
(2) build a symbolic expression tree rooted at operation $o$
whose children are the trees associated with the inputs to $o$.
Figure [#fig-subtype] presents pseudo code for the instrumentation
of a type $T$ via a type $T'$.
The class ``Symbolic`` is used to hold an expression tree (``Expr``).
Given a class $T \in U$, a symbolic type $T' \in U'$ is defined by inheriting
from both $T$ and ``Symbolic``. This ensures that a $T'$ can be used
wherever a $T$ is expected.
~ Figure { #fig-subtype caption="Type instrumentation to carry both concrete values and symbolic expressions." }
``` cpp2
class T' : T, Symbolic {
T'(c:T, e:Expr) : T(c), Symbolic(e) {}
override o(this:T, f1:T_1, ... , fk:T_k) : R' {
var c := T.o(this, f1, ... ,fk)
var e := new Expr(T.o, expr(self), expr(f1), ..., expr(fk))
return new R'(c,e)
}
...
}
class R' : R, Symbolic { ... }
function expr(v) = v instanceof Symbolic ? v.getExpr() : v
```
~
A type such as $T'$ only can be constructed by providing a concrete value $c$ of
type $T$ and a symbolic expression $e$ to the constructor for $T'$.
This will be done in exactly two places:
* by the creation of symbolic constants associated with the primary
inputs ($v_1 \ldots v_k$) to the program;
* by the instrumented operations as shown in Figure [#fig-subtype].
An instrumented operation $o$ on arguments (``this``, `f1`, ..., `fk`)
first invokes its corresponding underlying
operator $T.o$ on arguments (``this``, `f1`, ..., `fk`) to get concrete value `c`.
It then constructs a new expression tree `e`
rooted at operator $T.o$, whose children are the result of
mapping the function `expr` over (``this``, `f1`, ..., `fk`).
The helper function `expr(v)`
evaluates to an expression tree in the case that `v` is of ``Symbolic`` type
(representing a type in $U'$) and evaluates to `v` itself, a concrete value
of some type in $U$, otherwise.
Finally, having computed the values `c` and `e`, the instrumented operator
returns ``\($R'$\)(c,e)``, where $R$ is the return type of operator $T.o$,
and $R'$ is a subtype of $R$ from universe $U'$.
Looked at another way, the universe $U'$ represents the "tainting" of
types from $U$. Tainted values flow from program inputs to the
operands of operators. If an operator has been redefined
(as above) then the taint propagates from its inputs to its outputs.
On the other hand, if the operator has not been redefined, then it will
not propagate the taint. In the context of DSE, "taint" means
that the instrumented semantics carries along a symbolic expression tree $e$
along with a concrete value $c$.
The choice of types from the universe $U'$ determines how symbolic
expressions are constructed. For each $T \in U$, the "most symbolic"
(least concrete) choice is the $T'$ that redefines every operator of $T$
(as shown in Figure [#fig-subtype]).
The "least symbolic" (most concrete) choice is $T' = T$ which
redefines no operators. Let $symbolic(T)$ be the
set of types in $U'$ that are subtypes of $T$. The types
in $symbolic(T)$ are partially ordered by subset inclusion on the
set of operators from $T$ they redefine.
<!-- Example of an instrumentation -->
# From Strongest Postconditions to DSE {#sec-sp2dse}
The previous section showed how symbolic expressions can be computed via a
set of instrumented types, where the expressions are computed as a side-effect
of the execution of program operations.
This section shows how these symbolic expressions can be used to form a
*path-condition* (which then can be compiled into a logic formula and
passed to an automated theorem prover to find new inputs to drive a
program's execution along new paths). We derive a *path-condition*
directly from the _strongest postcondition_ (symbolic) semantics of our
programming language, refining it to model the basic operations
of an interpreter.
## Strongest Postconditions
The strongest postcondition transformer $SP$ [@Dijkstra76] is defined over
a predicate $P$ representing a set of
pre-states and a statement $S$ from our language. The transformer $SP(P,S)$
yields a predicate $Q$ such that for any state $s$ satisfying
predicate $P$, the execution of statement $S$ from state $s$,
if it does not go wrong or diverge, yields a state $s'$ satisfying predicate $Q$.
The strongest postcondition for the statements in our language
is defined by the following five rules:
~ MathPre
1. & SP(P, x := E) =^= \exists y . (x = E [ x \rightarrow y ]) \wedge P [ x \rightarrow y ]
2. & SP(P, @skip) =^= P
3. & SP(P,S1;S2) =^= SP(SP(P,S1), S2)
4. & SP(P,@if E @then S_1 @else S_2 @end) =^=
& SP(P\wedge E,S_1) \vee SP(P \wedge \neg E,S_2)
5. & SP(P,@while E @do S @end) =^=
& SP(P,@if E @then S; @while E @do S @end @else @skip @end)
~
Rule (1) defines the strongest postcondition for
the assignment statement. The assignment is modeled
logically by the equality $x = E$ where any free occurrence of $x$ in $E$
is replaced by the existentially quantified variable $y$, which represents
the value of $x$ in the pre-state. The same substitution ($[x \rightarrow y ]$)
is applied to the pre-state predicate $P$.
Rules (2)-(5) define the strongest postcondition for the four control-flow
statements. The rules for the **skip** statement and sequencing (;) are
straightforward.
Of particular interest, note that the rule for the **if-then-else**
statement splits cases on the expression $E$.
It is here that DSE will choose one of the cases for us, as the concrete
execution will evaluate $E$ either to be true or false. This gives rise
to the path-condition (either $P \wedge E$ or $P \wedge \neg E$). The
recursive rule for the **while** loop unfolds as many times as the
expression $E$ evaluates true, adding to the path-condition.
## From $SP$ to DSE {#sp-refined}
Assume that an execution begins with the assignment of initial values $c_1 \ldots c_k$ to the program $P$'s inputs
$V = \{ v_1 : T_1 \ldots v_k : T_k \}$. To seed symbolic execution, some of the types $T_i$ are
replaced by symbolic counterparts $T'_i$, in which case
$v_i$ is initialized to the value $sc_i = T'_i (c_i,SC(v_i))$ instead of the value $c_i$,
where $SC(v_i)$ is the symbolic constant representing the initial value of variable $v_i$.
The symbolic constant $SC(v_i)$ can be thought of as representing any value of
type $T_i$, which includes the value $c_i$.
Let $V_s$ and $V_c$ partition the variables of $V$ into those variables
that are treated symbolically ($V_s$) and those that are treated concretely
($V_c$). The initial state of the program is characterized by the formula
~ Equation
Init = (\bigwedge_{v_i \in V_s} v_i = sc_i) ~\wedge~ (~\bigwedge_{v_i \in V_c} v_i = c_i)
~
Thus, we see that the initial value of every input variable is characterized by
a symbolic constant $sc_i$ or constant $c_i$. We assume that every non-input
variable in the program is initialized before being used.
The strongest postcondition is formulated to deal with open programs,
programs in which some variables are used before being assigned to.
This surfaces in Rule (1) for assignment, which uses existential quantification
to refer to the value of variable $x$ in the pre-state.
By construction,
we have that every variable is defined before being used. This means
that the precondition $P$ can be reformulated as a pair $<St,P_c>$,
where $St$ is a store mapping variables to values and $P_c$ is
the path-condition, a list of symbolic expressions (predicates)
corresponding
to the expressions $E$ evaluated in the context of an **if-then-else**
statement. Initially, we have that :
~ Equation
St = \{ (v_i,sc_i) | v_i \in V_s \} \cup \{ (v_i,c_i) | v_i \in V_c \}
~
representing the initial condition $Init$, and $P_c = []$, the empty list.
We use $St'$ to refer to the formula that the store $St$
induces:
~ Equation
St ' = \bigwedge_{(v,V) \in St} (v = V)
~
Thus, the pair $<St,P_c>$ represents the predicate
$P = St' \wedge (\bigwedge_{c \in P_c} c)$.
A store $St$ supports two operations: $St[x]$ which denotes the
value that $x$ maps to under $St$; $St[x \mapsto V]$, which
produces a new store in which $x$ maps to value $V$ and is everywhere
else the same as $St$.
Now, we can redefine strongest postcondition for assignment to eliminate the
use of existential quantification and model the operation of an interpreter,
by separating out the notion of the store:
~MathPre
1. & SP(<St, P_c>, x := E) =^= <St[x \mapsto eval(St,E)], P_c>\\
~
where $eval(St,E)$ evaluates expression $E$ under the store $St$
(where every occurrence of a free variable
$v$ in $E$ is replaced by the value $St[v]$).
This is the standard substitution rule of a standard operational semantics.
We also redefine the rule for the **if-then-else** statement so
that it chooses which branch to take and appends the appropriate
symbolic expression (predicate) to the path-condition $P_c$:
~MathPre
4. & SP(<St, P_c>, @if E @then S_1 @else S_2 @end) =^=
& @let choice = eval(St,E) @in
& @if choice @then SP(<St, P_c :: expr(choice) >,S_1)
& @else SP(<St, P_c :: \neg expr(choice) >,S_2)
~
The other strongest postcondition rules remain unchanged.
## Summing it up
We have shown how the symbolic predicate transformer $SP$ can
be refined into a symbolic interpreter operating over the
symbolic types defined in the previous section.
In the case when every input variable is symbolic and every
operator is redefined, the path-condition is equivalent to the
_strongest postcondition_ of the execution path $p$.
This guarantees that the path-condition for $p$ is *sound*.
In the case where a subset of the input variables are symbolic
and/or not all operators are redefined, the path-condition of $p$
is not guaranteed to be sound. We leave it as an exercise to the
reader to establish sufficient conditions under which the
use of concrete values in place of symbolic expressions is
guaranteed to result in sound path-conditions.
This section does not address the compilation of a symbolic
expression to the (logic) language of an underlying ATP, nor the
lifting of a satisfying assignment to a formula back to the
level of the source language. This is best done for a particular
source language and ATP, as detailed in the next section.
# Architecture of PyExZ3 { #sec-impl }
In this section we present the high-level architecture
of a simple DSE tool for the Python language, written in Python, called [PyExZ3].
Figure [#fig-arch]
shows the class diagram (dashed edges are "has-a" relationships; solid edges
are "is-a" relationships) of the tool.
~ Figure { #fig-arch caption="Classes in PyExZ3" page-align=here }
![arch]
~
[arch]: arch.png "arch" { width=100% }
## Loading the code under test
The `Loader` class takes as input the name of a Python file (e.g., `foo.py`)
to import. The loader expects to find a function named
`foo` inside the file `foo.py`, which will serve as the starting point
for symbolic execution. The `FunctionInvocation` class
wraps this starting point. By default, each parameter to `foo` is
a `SymbolicInteger` unless there is decorator `@symbolic` specifying
the type to use for a particular argument.
The loader provides the capability to reload the
module `foo.py` so that the function `foo` can be
reexecuted within the same process from the same initial
state with different inputs (see the class `ExplorationEngine`)
via the `FunctionInvocation` class.
Finally, the loader looks for specially named functions `expected_result`
(`expected_result_set`) in file `foo.py` to use as a test oracle after
the path exploration (by `ExplorationEngine`) has completed. These
functions are expected to return a list of values to check
against the list of return values collected from the executions of
the `foo` function.
The presence of the function `expected_result` (`expected_result_set`)
yields a comparison of the two lists as bags (sets). We use such weaker
tests, rather than list equality, because the order in which paths
are explored by the `ExplorationEngine` can easily change due to small
differences in the input programs.
## Symbolic types
Python supports multiple inheritance and, more importantly,
allows user-defined classes to inherit
from its built-in types (such as `object` and `int`).
We use these two features two implement
symbolic versions of Python objects and integers,
following the instrumented type approach defined in Section [#sec-semantics].
The abstract class `SymbolicType` contains the
symbolic expression tree and provides basic functions for constructing
and accessing the tree. This class does double duty, as it is used
to represent the (typed) symbolic constants associated with the parameters to the
function, as well as the expression trees (per Section [#sec-semantics]). Recall
that the symbolic constants only appear as leaves of expression trees.
This means that the expression tree stored in a `SymbolicType` will
have instances of a `SymbolicType` as some of its leaves, namely
those leaves representing the symbolic constants.
<!-- Need to say why this is important -->
The abstract class provides an `unwrap` method which returns
the pair of concrete value and expression tree associated with
the `SymbolicType`, as well as a `wrap` method that takes a
pair of concrete value and expression tree and creates a `SymbolicType`
encapsulating them.
The class `SymbolicObject` inherits from both `object` and `SymbolicType` and
overrides the basic comparison operations (`__eq__`, `__neq__`, `__lt__`, `__le__`,
`__gt__`, and `__ge__`).
The class `SymbolicInteger` inherits from both `int` and `SymbolicObject`
and overrides a number of `int`'s arithmetic methods
(`__add__`, `__sub__`, `__mul__`, `__mod__`, `__floordiv_`)
and bitwise methods
(`__and__`, `__or__`, `__xor__`, `__lshift__`, `__rshift__`).
## Tracing control-flow
As Python interprets a program, it will evaluate expressions,
substituting the value of a variable in its place in an
expression, applying operators (methods) to
parameter values and assigning the return values of methods
to variables. Value of type `SymbolicInteger` will simply flow
through this interpretation, without necessitating any change
to the program or the interpreter. This takes care
of the case of the strongest-postcondition rule for assignment,
as elaborated in Section [#sp-refined].
The strong-postcondition rule for a conditional test requires
a little more work. In Python, any object can be tested in
an `if` or `while` condition or as the operand of a Boolean operation
(`and`, `or`, `not`)
The Python base class `object` provides a method named `__bool__` that
the Python runtime calls whenever it needs to perform such a conditional test.
This hook provides us what we need to trace the conditional
control-flow of a Python execution. We override this method in the class
`SymbolicObject` in order to inform the `PathToConstraint` object (defined
later) of the symbolic expression for the conditional (as captured by
the `SymbolicInteger` subclass).
Note that the use of this hook in combination with the
tainted types will only trace those conditionals
in a Python execution whose values inherit from `SymbolicObject`;
by definition, "untainted" conditionals do not depend on symbolic
inputs so there is no value in adding them to the path-condition.
## Recording path-conditions
A `Predicate` records a conditional (more precisely the symbolic expression
found in `SymbolicInteger`) and
which way it evaluated in an execution. A `Constraint`
has a `Predicate`, a parent `Constraint` and a set
of `Constraint` children. `Constraints` form a tree, where
each path starting from the root of the tree represents
a path-condition. The tree represents all path-conditions that have
been explored so far.
The class `PathToConstraint` has a reference to the root of
the tree of `Constraint`s
and is responsible for installing a new `Constraint` in the tree
when notified by the overridden `__bool__` method of `SymbolicObject`.
`PathToConstraint` also tracks whether or not the current execution
is following an existing path in the tree and grows the
tree as needed. In fact, it actually
tracks whether or not the current execution follows a particular
*expected path* in the tree.
The expected path is the result
of the `ExplorationEngine` picking a constraint $c$ in the tree,
and asking the ATP if the path-condition consisting of the prefix
of predicates up to but not including $c$ in the tree,
followed by the negation of $c$'s predicate is satisfiable. If the
ATP returns "satisfiable" (with a new input $i$), then the assumption
is that path-condition prefix is sound (that is, the execution of
the program on input $i$ will follow the prefix).
However, it is possible
for the path-condition to be unsound and for
the executed path to diverge early
from the expected path, due to the fact that not every operation
has a symbolic encoding. The tool simply reports the divergence
and continues to process the execution as usual (as a diverging
path may lead to some other interesting part of the code).
## From symbolic types to Z3
As we have explained DSE, the symbolic expressions are
represented at the level of the source language. As detailed later
in Section [#sec-int2z3], we must translate
from the source language to the input language of an
automated theorem prover (ATP), in this case [Z3]. This
separation of languages is quite useful, as we may have
the need to translate a given symbolic expression
to the ATP's language multiple times, to make use of different
features of the underlying ATP.
Furthermore, this separation
of concerns allows us to easily retarget the DSE tool to a
different ATP.
The base class `Z3Expression` represents a Z3 formula. The two
subclasses `Z3Integer` and `Z3BitVector` represent different ways
to model arithmetic reasoning about integers in Z3. We will describe
the details of these encodings in Section [#sec-int2z3].
The class `Z3Wrapper` is responsible for performing the
translation from the source language (Python) to Z3's input language,
invoking Z3, and lifting a Z3 answer back to the level of Python.
The `findCounterexample` method does all the work, taking as
input a list of `Predicate`s (called `assertions`)
as well as a single `Predicate` (called
the `query`). The `assertions` represent a path-condition
prefix derived from the `Constraint` tree that we wish the next
execution to follow, while `query` represents the predicate
following the prefix in the tree that we will negate.
The method constructs the formula
~Equation
(\bigwedge_{a \in asserts} a) \wedge \neg query
~
and asks Z3 if it is satisfiable. The method performs
a standard syntactic "cone of influence" (CIF)
reduction on the `asserts` with respect to the
`query` to shrink the size of the formula. For example,
if `asserts` is the set of predicates $\{ (x<a), (a<0), (y>0) \}$ and
the query is $(x=0)$, then the CIF yields the
set $\{ (x<a), (a<0) \}$, which does not include the predicate $(y>0)$,
as the variable $y$ is not in the set of variables (transitively)
related to variable $x$.
If the formula is satisfiable a model is requested
from Z3 and lifted back to Python's type universe. Note that
because of the CIF reduction, the model may not mention certain
input variables, in which case we simply keep their values from
the execution from which the `asserts` and `query` were derived.
## Putting it all together
The class `ExplorationEngine` ties everything together. It kicks off
an execution of the Python code under test using `FunctionInvocation`.
As the Python code executes, building symbolic expressions via `SymbolicType`
and its subclasses, callbacks to `PathToConstraint` create
a path-condition, represented by `Constraint` and `Predicate`.
Newly discovered `Constraints` are added to the end of a deque maintained by
`ExplorationEngine`.
Given the first seed execution, `ExplorationEngine` starts the work of
exploring paths in a breadth-first fashion. It removes a `Constraint` $c$
from the front of its deque and, if $c$ has not been already "processed",
uses `Z3Wrapper` to find a new input (as discussed in the previous section)
where $c$ is the query (to be negated) and the path to $c$ in the
`Constraint` tree forms the assertions.
A `Constraint` $c$ in the tree is considered "processed" if an execution
has covered $c'$, a sibling of $c$ in the tree that represents
the negation of the predicate associated with $c$, or if constraint $c$
has been removed from the deque.
# From Python Integers to Z3 Arithmetic { #sec-int2z3 }
In languages such as C and Java, integers are finite-precision,
generally limited to the size of a machine word (32 or 64 bits, for example).
For such languages, satisfiability of finite-precision integer arithmetic
is decidable and can be reduced to Z3's theory of bit-vectors, where
each arithmetic operation is encoded by a circuit. This translation permits
reasoning about non-linear arithmetic problems, such as
$\exists x,y,z : x*z + y \leq (z/y)+5$.
Python (3.0) integers, however, are not finite-precision. They are only
limited by the size of machine memory. This means, for example, that
Python integers don't overflow or underflow. It also means that
we can't hope to decide algorithmically whether or not a given
equation over integer variables has a solution in general. Hilbert's famous
10th problem and its solution by Matiyasevich tells us that it is
undecidable whether or not a polynomial
equation of the form $p(x_1, \ldots, x_n) = 0$ with integer coefficients
has an solution in the integers.
This means that we will resort to heuristic approaches in our use
of the [Z3] ATP. The special case of linear integer arithmetic (LIA)
is decidable and supported by Z3. In order to deal with non-linear operations,
we use uninterpreted functions (UF). Thus, if Z3 returns
"unsatisfiable" we know that there is no solution, but if the
Z3 "satisfiable", we must treat the answer as a "don't know".
The class `Z3Integer` is used to translate a symbolic expression
into the theory LIA+UF and check for unsatisfiability. We leave it as an
implementation exercise to check if a symbolic expression can
be converted to LIA (without the use of UF) in order to make
use of "satisfiable" answers from the LIA solver.
If the translation to `Z3Integer` does not return "unsatisfiable", we
use Z3's bit-vector decision procedure (via the class
`Z3BitVector`) to heuristically
try to find satisfiable answers, even in the presence of non-linear
arithmetic. We start with bit-vectors of size $N=32$ and *bound* the values
of the symbolic constants to fit within 8 bits in order to find
satisfiable solutions
with small values. Also, because Python integers do not overflow/underflow,
the bound helps us reserve space in the bit-vector to allow the
results of operations to exceed the bound while not overflowing
the bit-vector. As long as Z3 returns "unsatisfiable" we increase
the bound. If the bound reaches $N$, we increase $N$ by 8 bits,
leaving the bound where it is and continue.
If Z3 returns
"satisfiable", it may be the case that Z3 found a solution
that involved overflow in the bit-vector world of arithmetic
(modulo $2^N-1$). Therefore,
the solution is validated back in the
Python world by evaluating the formula under that solution
using Python semantics.
If the formula does not evaluate to the same
value in both worlds, then we increase $N$ by 8 bits (to
create a gap between the bound and $N$) and continue to search
for a solution.
The process terminates when we find a valid satisfying solution
or $N=64$ and the bound reaches 64 (in which case, we return "don't know").
# Extensions {#sec-extensions}
We have presented the basics of dynamic symbolic execution
(for Python).
A more thorough treatment would deal with other data types besides
integers, such as Python dictionaries, strings and lists, each
of which presents their own challenges for symbolic reasoning.
There are many other interesting challenges in DSE, such
as dealing with user-defined classes (rather than built-in types
as done here) and multi-threaded execution.
# Acknowledgements
Many thanks to the students of the 2014 Marktoberdorf Summer School
on Dependable Software Systems Engineering
for their questions and feedback about the first author's lectures on dynamic
symbolic execution. The following students of the summer school
helpfully provided tests for the [PyExZ3] tool: Daniel Darvas,
Damien Rusinek, Christian Dehnert and Thomas Pani. Thanks also to Peter
Chapman for his contributions.
<!--
# From Python Dictionaries to Z3 Maps { #sec-dict2z3 }
Python dictionaries, which map keys to values,
introduce mutation into the picture. The methods are:
- Length: `__length__(self)` - will be maintained concretely, as cardinality constraints
are beyond the scope of what we can handle
- Get: `__getitem__(self,key)` - Select
- Set: `__setitem__(self,key,value)` - Update
- Lookup: `__contains__(self,key)` -
- Delete: `__delitem__(self,key)` - Update
A dictionary can be mutated via the `__setitem__` and '__delitem__` methods.
The keys stored in Python dictionary must be hashable values.
All of Python's immutable
built-in objects (such as integers, tuples and strings) are hashable.
User-defined classes give rise to hashable mutable objects, where
the hash value is the object id (an immutable field of the object).
Ideally, symbolic expression trees should contain only
immutable values, as they are a pure function of the initial
(immutable) state of a program. However, the reality is that
the values associated with keys in a dictionary can be mutable.
For example, a dictionary itself can be a value in another
dictionary.
As we will see, for the purposes of modelling a dictionary symbolically,
however, the object id of the value in a (key,value) pair is all that
needs to be recorded. The object id is immutable, as mentioned before.
Thus, we can represent the state of the dictionary via an append-only log
of updates where the parameters
to each update are immutable values (set and delete are the update
operations). Each lookup/get/length operation hangs off of a particular
prefix of the log.
We model the dictionary as initially
empty, containing no mapping (rejects all lookups and get, length is zero).
The essential axioms
* Initially empty
* Select
* Update
Inverting select means that we need disequality on values in
the dictionary (SymbolicObject)
Equality of dictionaries (extensional arrays)
-->
# References {-}
[BIB]
================================================
FILE: marktoberdorf_paper/DSE/IOS-Book-Article.cls
================================================
%% This is file `IOSarticle.cls'
%%
%% Generic LaTeX 2e class file for the IOS Press publications
%%
%% Macros written by Vytas Statulevicius, VTeX, Lithuania
%% for IOS Press, The Netherlands
%% Please submit bugs or your comments to vytas@vtex.lt
%%
%% You are free to use this class file as you see fit, provided
%% that you do not make changes to the file.
%% If you DO make changes, you are required to rename this file.
%%
%% It may be distributed under the terms of the LaTeX Project Public
%% License, as described in lppl.txt in the base LaTeX distribution.
%% Either version 1.0 or, at your option, any later version.
%%
%% \CharacterTable
%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
%% Digits \0\1\2\3\4\5\6\7\8\9
%% Exclamation \! Double quote \" Hash (number) \#
%% Dollar \$ Percent \% Ampersand \&
%% Acute accent \' Left paren \( Right paren \)
%% Asterisk \* Plus \+ Comma \,
%% Minus \- Point \. Solidus \/
%% Colon \: Semicolon \; Less than \<
%% Equals \= Greater than \> Question mark \?
%% Commercial at \@ Left bracket \[ Backslash \\
%% Right bracket \] Circumflex \^ Underscore \_
%% Grave accent \` Left brace \{ Vertical bar \|
%% Right brace \} Tilde \~}
%%
%%
%% Bug fixes and changes:
%% 2004.05.19 - small change o layout
%% 2004.09.14 - \parindent changed
%% 2006.03.27 - centering on A4, no running heads, \snm makes uppercase
%% 2006.04.20 - changed: \thebibliography size, indent, \parindent
\NeedsTeXFormat{LaTeX2e}[1995/12/01]
\ProvidesClass{IOS-Book-Article}
[2006/04/20 v1.0, IOS Press]
\newif\if@restonecol \@restonecolfalse
\newif\if@openright
\newif\if@mainmatter \@mainmattertrue
\DeclareOption{draft}{\setlength\overfullrule{5pt}}
\DeclareOption{final}{\setlength\overfullrule{0pt}}
\DeclareOption{openright}{\@openrighttrue}
\DeclareOption{openany}{\@openrightfalse}
\DeclareOption{onecolumn}{\@twocolumnfalse\@restonecoltrue}
\DeclareOption{twocolumn}{\@twocolumntrue}
\DeclareOption{leqno}{\input{leqno.clo}}
\DeclareOption{fleqn}{\input{fleqn.clo}}%
%
% Numbering switches:
\newif\if@seceqn \@seceqnfalse \DeclareOption{seceqn}{\@seceqntrue}
\newif\if@secfloat \@secfloatfalse \DeclareOption{secfloat}{\@secfloattrue}
\newif\if@secthm \DeclareOption{secthm}{\@secthmtrue}
%
%
% Selection of font size and page dimensions
% If 12pt option is used, page will be reduced by 80% at printing time
\newif\if@ten@point \@ten@pointfalse
\DeclareOption{10pt}{\@ten@pointtrue}
\DeclareOption{12pt}{\@ten@pointfalse}
% Information about the publication
\def\booktitle#1{\gdef\book@title{#1}}
\def\bookeditors#1{\gdef\book@editors{#1}}
\def\publisher#1{\gdef\@publisher{#1}}
\booktitle{Book Title}
\bookeditors{Book Editors}
\publisher{IOS Press}
\ExecuteOptions{10pt,onecolumn,twoside,final,openright,fleqn}
\ProcessOptions
%
%************************* FONTS
%\def\@xivpt{14}
%\def\@xviipt{17}
%\def\@xviiipt{18}
%\def\@xxpt{20}
%\def\@xxivpt{24}
% Fonts:
\typeout{Ten point}
%
\renewcommand\normalsize{%
\@setfontsize\normalsize\@xpt{12pt plus .5\p@ minus .1\p@}%
\abovedisplayskip 12\p@ \@plus3pt \@minus3pt%
\abovedisplayshortskip\abovedisplayskip%
\belowdisplayshortskip\abovedisplayskip%
\belowdisplayskip \abovedisplayskip%
\let\@listi\@listI}
\newcommand\small{%
\@setfontsize\small\@ixpt\@xipt%
\abovedisplayskip 5.5\p@ \@plus3pt%
\abovedisplayshortskip 5.5\p@ \@plus1pt \@minus1pt%
\belowdisplayshortskip 5.5\p@ \@plus1pt \@minus1pt%
\def\@listi{\leftmargin\leftmargini
\topsep 5\p@ \@plus2\p@ \@minus2\p@
\parsep \z@ \itemsep \parsep}%
\belowdisplayskip \abovedisplayskip%
}
\newcommand\footnotesize{%
\@setfontsize\footnotesize\@viiipt\@xpt%
\abovedisplayskip 5.5\p@ \@plus3pt%
\abovedisplayshortskip 5.5\p@ \@plus1pt \@minus1pt%
\belowdisplayshortskip 5.5\p@ \@plus1pt \@minus1pt%
\def\@listi{\leftmargin\leftmargini
\topsep 4\p@ \@plus2\p@ \@minus2\p@
\parsep \z@ \itemsep \parsep}%
\belowdisplayskip \abovedisplayskip%
}
\newcommand\scriptsize{\@setfontsize\scriptsize\@viiipt{9.5}}
\newcommand\tiny{\@setfontsize\tiny\@vipt\@viipt}
\newcommand\large{\@setfontsize\large\@xiipt{14}}
\newcommand\Large{\@setfontsize\Large\@xivpt{18}}
\newcommand\LARGE{\@setfontsize\LARGE\@xviipt{22}}
\newcommand\huge{\@setfontsize\huge\@xxpt{25}}
\newcommand\Huge{\@setfontsize\Huge\@xxvpt{30}}
\normalsize
% Customization of fonts
\renewcommand\sldefault{it}
\renewcommand\bfdefault{b}
\let\slshape\itshape
%
% ********************* DIMENSIONS:
% TEXT DIMENSIONS
\setlength\parindent{18\p@}
\@settopoint\parindent
\setlength\textwidth{124mm}
\@settopoint\textwidth
\setlength\textheight{200mm}
\@settopoint\textheight
\setlength\columnsep{10mm}
\@settopoint\columnsep
\setlength\columnwidth{95mm}
\@settopoint\columnwidth
\setlength\columnseprule{0\p@}
\hoffset -0.5cm
\voffset -1cm
% HEADS:
\setlength\headheight{12\p@}
\setlength\headsep {15\p@}
\setlength\topskip {10\p@}
\setlength\footskip {25\p@}
\setlength\maxdepth {.5\topskip}
% SIDE MARGINS
\setlength\oddsidemargin {0mm}
\setlength\evensidemargin {0mm}
\setlength\topmargin {10mm}
\@settopoint\topmargin
% TEXT PARAMETERS
\setlength\lineskip{1\p@}
\setlength\normallineskip{1\p@}
\renewcommand\baselinestretch{}
\setlength\parskip{0\p@}
% Center on A4:
\def\paper@width {210mm}
\def\paper@height{297mm}
\hoffset=-1in
\voffset=-1in
\@tempdima=\paper@width
\advance\@tempdima by-\textwidth
\divide\@tempdima by2
\setlength\evensidemargin {\@tempdima}%
\setlength\oddsidemargin {\@tempdima}%
\@tempdima=\paper@height
\advance\@tempdima by-\textheight
\advance\@tempdima by-\headsep
\advance\@tempdima by-\headheight
\divide\@tempdima by2
\setlength\topmargin {\@tempdima}%
% BREAKS
\setlength\smallskipamount{6\p@ \@plus 1\p@ \@minus 1\p@}
\setlength\medskipamount{12\p@ \@plus 3\p@ \@minus 3\p@}
\setlength\bigskipamount{24pt \@plus 3\p@ \@minus 3\p@}
% PAGE-BREAKING PENALTIES
\clubpenalty=4000
\widowpenalty=4000
\displaywidowpenalty=50
\predisplaypenalty=0 % Breaking before a math display.
% \postdisplaypenalty % Breaking after a math display.
% \interlinepenalty % Breaking at a line within a paragraph.
% \brokenpenalty % Breaking after a hyphenated line.
\pretolerance=100 % Badness tolerance for the first pass (before hyphenation)
\tolerance=800 % Badness tolerance after hyphenation
\hbadness=800 % Badness above which bad hboxes will be shown
\emergencystretch=3\p@
\hfuzz=1\p@ % do not be to critical about boxes
%
\doublehyphendemerits=0
\adjdemerits=0
\brokenpenalty=0
\interlinepenalty=0
%
\if@twocolumn
\setlength\marginparsep {10\p@}
\else
\setlength\marginparsep{7\p@}
\fi
\setlength\marginparpush{5\p@}
% FOOTNOTES
\setlength\footnotesep{6.65\p@}
\setlength{\skip\footins}{12\p@ \@plus 6\p@}
% FLOATS
\setlength\floatsep {15\p@ \@plus 10\p@ \@minus 4\p@}
\setlength\textfloatsep{12\p@ \@plus 6\p@ \@minus 4\p@}
\setlength\intextsep {12\p@ \@plus 6\p@ \@minus 4\p@}
\setlength\dblfloatsep {15\p@ \@plus 10\p@ \@minus 4\p@}
\setlength\dbltextfloatsep{12\p@ \@plus 12\p@ \@minus 4\p@}
% For floats on a separate float page or column:
\setlength\@fptop{0\p@ \@plus 1fil}
\setlength\@fpsep{8\p@ \@plus 1000fil}
\setlength\@fpbot{0\p@ \@plus 1fil}
\setlength\@dblfptop{0\p@ \@plus 1fil}
\setlength\@dblfpsep{8\p@ \@plus 1000fil}
\setlength\@dblfpbot{0\p@ \@plus 1fil}
%
\setcounter{topnumber}{5}
\renewcommand\topfraction{.90}
\setcounter{bottomnumber}{5}
\renewcommand\bottomfraction{.90}
\setcounter{totalnumber}{10}
\renewcommand\textfraction{.10}
\renewcommand\floatpagefraction{.9}
\setcounter{dbltopnumber}{5}
\renewcommand\dbltopfraction{.99}
\renewcommand\dblfloatpagefraction{.8}
%
% PENALTIES
\@lowpenalty 51
\@medpenalty 151
\@highpenalty 301
\@beginparpenalty -\@lowpenalty
\@endparpenalty -\@lowpenalty
\@itempenalty -\@lowpenalty
% LISTS
\setlength\partopsep{0\p@}
\def\@listI{\leftmargin\leftmargini
\parsep 0\p@ \@plus2\p@ \@minus\p@
\topsep 9\p@ \@plus2\p@ \@minus2\p@
\partopsep\p@
\itemsep 1\p@ \@plus.5\p@ \@minus1\p@}
\let\@listi\@listI
\@listi
\def\@listii {\leftmargin\leftmarginii
\labelwidth\leftmarginii
\advance\labelwidth-\labelsep
\topsep 4\p@ \@plus2\p@ \@minus\p@
\parsep 0\p@ \@plus1\p@ \@minus\p@
\itemsep \parsep}
\def\@listiii{\leftmargin\leftmarginiii
\labelwidth\leftmarginiii
\advance\labelwidth-\labelsep
\topsep 2\p@ \@plus\p@\@minus\p@
\parsep \z@
\partopsep \p@ \@plus\z@ \@minus\p@
\itemsep \topsep}
\def\@listiv {\leftmargin\leftmarginiv
\labelwidth\leftmarginiv
\advance\labelwidth-\labelsep}
\def\@listv {\leftmargin\leftmarginv
\labelwidth\leftmarginv
\advance\labelwidth-\labelsep}
\def\@listvi {\leftmargin\leftmarginvi
\labelwidth\leftmarginvi
\advance\labelwidth-\labelsep}
%
\DeclareMathSizes{\@xivpt}{\@xivpt}{\@xpt}{\@viiipt}
\DeclareMathSizes{12}{12}{\@viiipt}{\@viipt}
%
% ******************** HEADINGS
%
% normal heading
\def\ps@headings{%
\let\@oddfoot\@empty\let\@evenfoot\@empty
\def\@evenhead{\footnotesize\rlap{\thepage}\hfill\textit{\leftmark}\hfill}%
\def\@oddhead{\footnotesize\hfill\textit{\rightmark}\hfill\llap{\thepage}}%
}%
% empty RH
\def\ps@empty{\let\@mkboth\@gobbletwo
\def\@oddhead{\hfill}\def\@oddfoot{}
\let\@evenhead\@oddhead\let\@evenfoot\@oddfoot}
%
% RH with pagenumber at bottom
\def\ps@plain{\let\@mkboth\@gobbletwo
\def\@oddhead{\hfill}\def\@oddfoot{}
\let\@evenhead\@oddhead
\def\@oddfoot{\hfill\footnotesize\thepage\hfill}
\let\@evenfoot\@oddfoot
}
% First page RH
\def\ps@copyright{\let\@mkboth\@gobbletwo
\def\@evenhead{\parbox[t]{.75\textwidth}{\footnotesize\raggedright\itshape\titleheadline}\hfill\footnotesize\thepage}%
\def\@oddhead {\parbox[t]{.75\textwidth}{\footnotesize\raggedright\itshape\titleheadline}\hfill\footnotesize\thepage}%
\let\@oddfoot\relax%
\let\@evenfoot\@oddfoot%
}
%
% HEADLINE: Book Title
% Book Editors
% IOS Press, 0000
%
\def\titleheadline{%
\book@title\\
\book@editors\\
\@publisher, \the\@pubyear}
%
\def\@copyright{\@issn/\the@copyear/\$\@price\ \copyright@sign\
\the\@pubyear\@copyrightowner}%
%
% ************************ FOOTNOTE
%
\newcommand\@makefntext[1]{%
\parindent1em\@makefnmark #1}
\def\@makefnmark{\@textsuperscript{\normalfont\@thefnmark}}%
%
% ************************ Counters
\setcounter{secnumdepth}{3}
\newcounter {section}
\newcounter {subsection}[section]
\newcounter {subsubsection}[subsection]
\newcounter {paragraph}[subsubsection]
\newcounter {subparagraph}[paragraph]
\renewcommand \thesection {\@arabic\c@section}
\renewcommand\thesubsection {\thesection.\@arabic\c@subsection}
\renewcommand\thesubsubsection{\thesubsection .\@arabic\c@subsubsection}
\renewcommand\theparagraph {\thesubsubsection.\@arabic\c@paragraph}
\renewcommand\thesubparagraph {\theparagraph.\@arabic\c@subparagraph}
%
% ******************** Sectioning commands
\def\no@harm{\let\thanks=\@gobble \let\\=\@empty}
%**************** Section commands
\def\nohyphen{\pretolerance=10000 \tolerance=10000
\hyphenpenalty=10000 \exhyphenpenalty=10000}
\newcommand\section{\@startsection {section}{1}{\z@}%
{-\bigskipamount}%
{\medskipamount}%
{\normalsize\bfseries\nohyphen\raggedright}}
\newcommand\subsection{\@startsection {subsection}{2}{\z@}%
{-\medskipamount}%
{\medskipamount}%
{\normalsize\itshape\nohyphen\raggedright}}
\newcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}%
{-\medskipamount}%
{\smallskipamount}%
{\normalsize\itshape\nohyphen\raggedright}}
\newcommand\paragraph{\@startsection{paragraph}{4}{\z@}%
{\smallskipamount}%
{-1em}%
{\normalsize\itshape}}
\newcommand\subparagraph{\@startsection{subparagraph}{5}{\z@}%
{0.1pt}%
{-1em}%
{\normalsize\itshape}}
% Format for the counter:
\def\@seccntformat#1{\csname the#1\endcsname.\enspace}
%
\def\appendix{\par
\setcounter{section}{0}%
\setcounter{subsection}{0}%
\gdef\thesection{\Alph{section}}}
%
\def\acknowledgements{\section*{\acknowledgementsname}%
\typeout{\acknowledgementsname}}
%
\def\notes{\section*{Notes}\footnotesize}
\def\endnotes{\par \vskip 6pt plus12pt minus2pt\relax}
%****************** LISTS
\if@twocolumn
\setlength\leftmargini {2em}
\else
\setlength\leftmargini {2.5em}
\fi
\leftmargin \leftmargini
\setlength\leftmarginii {2.2em}
\setlength\leftmarginiii {1.87em}
\setlength\leftmarginiv {1.7em}
\if@twocolumn
\setlength\leftmarginv {.5em}
\setlength\leftmarginvi {.5em}
\else
\setlength\leftmarginv {1em}
\setlength\leftmarginvi {1em}
\fi
\setlength \labelsep {.4em}
\setlength \labelwidth{\leftmargini}
\addtolength\labelwidth{-\labelsep}
%
\renewcommand\theenumi{\@arabic\c@enumi}
\renewcommand\theenumii{\@alph\c@enumii}
\renewcommand\theenumiii{\@roman\c@enumiii}
\renewcommand\theenumiv{\@Alph\c@enumiv}
\newcommand\labelenumi{\theenumi.}
\newcommand\labelenumii{(\theenumii)}
\newcommand\labelenumiii{\theenumiii.}
\newcommand\labelenumiv{\theenumiv.}
\renewcommand\p@enumii{\theenumi}
\renewcommand\p@enumiii{\theenumi(\theenumii)}
\renewcommand\p@enumiv{\p@enumiii\theenumiii}
%
\def\setenumlabel#1{\gdef\max@enumlabel{#1}}
\setenumlabel{1.}
%
\def\enumerate{\@ifnextchar[{\enumerate@}{\enumerate@[\max@enumlabel]}}
%
\def\enumerate@[#1]{\ifnum \@enumdepth >4 \@toodeep\else
\advance\@enumdepth \@ne
\edef\@enumctr{enum\romannumeral\the\@enumdepth}%
\list {\csname label\@enumctr\endcsname}%
{\usecounter{\@enumctr}\def\makelabel##1{{\hfill\rm ##1}}
\settowidth{\labelwidth}{#1}
\advance\labelwidth by\parindent \labelsep=0.5em
\leftmargin\z@ \rightmargin\z@ \itemindent=\labelwidth
\advance\itemindent\labelsep
\leftmargin=\the\itemindent\itemindent=\z@
\partopsep\z@ \topsep\smallskipamount \parsep\z@ \itemsep\z@ %\@rightskip\z@ plus 1fil
\listparindent\z@}\fi\setenumlabel{1.}}
%%%%%%%%%%%%%%%%%%%%%% ITEMIZE
\newcommand\labelitemi{\normalfont\bfseries \textbullet}
\newcommand\labelitemii{\textasteriskcentered}
\newcommand\labelitemiii{\textasteriskcentered}
\newcommand\labelitemiv{\textperiodcentered}
\let\@itemize@indent\parindent
%
\def\itemize{\@ifnextchar[{\itemize@}{\itemize@[]}}
\def\itemize@[#1]{\ifnum \@itemdepth >4 \@toodeep\else
\advance\@itemdepth \@ne
\edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
\if.#1. \else\def\@@tempa{#1}\edef\@itemitem{@@tempa}\fi\list
{\csname\@itemitem\endcsname}{\settowidth{\labelwidth}
{\csname\@itemitem\endcsname}
\def\makelabel##1{##1}\labelsep=0.5em%ST
\itemindent=\labelwidth \advance\itemindent\labelsep
\advance\itemindent\@itemize@indent
\leftmargin\the\itemindent \itemindent=\z@
\partopsep\z@ \topsep\smallskipamount \parsep\z@ %\@rightskip\z@ plus 1fil
\itemsep\z@ \listparindent\z@} \fi}
%
\newenvironment{description}
{\list{}{\labelwidth\z@ \itemindent-\leftmargin
\let\makelabel\descriptionlabel}}
{\endlist}
\newcommand*\descriptionlabel[1]{\hspace\labelsep
\normalfont\bfseries #1}
\newenvironment{verse}
{\let\\\@centercr
\list{}{\itemsep \z@
\itemindent -1.5em%
\listparindent\itemindent
\rightmargin \leftmargin
\advance\leftmargin 1.5em}%
\item\relax}
{\endlist}
\newenvironment{quotation}
{\list{}{\small\listparindent2mm%
\itemindent\z@ %
\rightmargin\z@ \leftmargin\parindent%
\partopsep\z@ \topsep\smallskipamount \parsep\z@%
}%
\item[\Q@strut]\relax}
{\endlist}
\def\Q@strut{\leavevmode\hbox{\vrule height9pt depth1pt width0pt}}
\newenvironment{quote}
{\list{}{\listparindent\z@%
\itemindent \listparindent%
\rightmargin\z@ \leftmargin 1.5em%
\partopsep\z@ \topsep6pt \parsep\z@%
}%
\item[\Q@strut]\relax}
{\endlist}
%
%************************** TABULAR
\let\savehline\hline
\def\thline{\noalign{\vskip3pt}\savehline\noalign{\vskip3pt}}%
\def\fhline{\noalign{\vskip1pt}\savehline\noalign{\vskip7pt}}%
\def\bhline{\noalign{\vskip3pt}\noalign{\global\arrayrulewidth=1\p@}\savehline\noalign{\global\arrayrulewidth=.5\p@}\noalign{\vskip3pt}}%
\def\lhline{\noalign{\vskip3pt}\noalign{\global\arrayrulewidth=.3\p@}\savehline\noalign{\global\arrayrulewidth=.5\p@}\noalign{\vskip3pt}}
%
%************************** MATH SETTINGS
\setlength\mathindent{2em}
\setlength\arraycolsep{1.2\p@}
\setlength\tabcolsep{6\p@}
\setlength\arrayrulewidth{.4\p@}
\setlength\doublerulesep{2\p@}
\setlength\tabbingsep{\labelsep}
\setlength\jot{6\p@}
\skip\@mpfootins = \skip\footins
\setlength\fboxsep{3\p@}
\setlength\fboxrule{.4\p@}
\if@seceqn
\@addtoreset {equation}{section}
\renewcommand\theequation{\thesection.\@arabic\c@equation}
\else
\renewcommand\theequation{\@arabic\c@equation}
\fi
%******* TABLES, FIGURES, ALGORITHM
\newcounter{figure}
\if@secfloat
\@addtoreset{figure}{section}
\renewcommand \thefigure {\thesection.\@arabic\c@figure}
\else
\renewcommand \thefigure {\@arabic\c@figure}
\fi
\def\fps@figure{tbp}
\def\ftype@figure{1}
\def\ext@figure{lof}
\def\fnum@figure{\figurename~\thefigure.}
\newenvironment{figure}
{\let\@makecaption\@makefigurecaption\let\@floatboxreset\@figureboxreset\@float{figure}}
{\end@float}
\newenvironment{figure*}
{\let\@makecaption\@makefigurecaption\let\@floatboxreset\@figureboxreset\@dblfloat{figure}}
{\end@dblfloat}
\def\@figureboxreset{%
\reset@font%
\centering%
\@setnobreak%
\@setminipage%
}
\long\def\@makefigurecaption#1#2{\footnotesize%
\vskip\abovecaptionskip
\setbox\@tempboxa\hbox{\textbf{#1}\enspace #2}%
\ifdim \wd\@tempboxa >\hsize
\unhbox\@tempboxa\par
\else
\hbox to\hsize{\hfil\box\@tempboxa\hfil}%
\fi}
%
% TABLE
\newcounter{table}
\if@secfloat
\@addtoreset{table}{section}
\renewcommand \thetable{\thesection.\@arabic\c@table}
\else
\renewcommand \thetable{\@arabic\c@table}
\fi
\def\fps@table{tbp}
\def\ftype@table{2}
\def\ext@table{lot}
\def\fnum@table{\tablename~\thetable.}
%
\newenvironment{table}
{\let\@makecaption\@maketablecaption%
\let\@floatboxreset\@tableboxreset\@float{table}}
{\end@float}
\newenvironment{table*}
{\let\@makecaption\@maketablecaption%
\let\@floatboxreset\@tableboxreset\@dblfloat{table}}
{\end@dblfloat}
%
\def\@tableboxreset{%
\reset@font%
\centering\footnotesize%
\def\arraystretch{1.2}
\@setnobreak%
\@setminipage%
}
\newlength\abovecaptionskip
\newlength\belowcaptionskip
\setlength\abovecaptionskip{8\p@}
\setlength\belowcaptionskip{3\p@}
%
\newdimen\tablewidth \tablewidth\textwidth
\newdimen\saved@tablewidth \saved@tablewidth\textwidth
%
\long\def\@maketablecaption#1#2{%
\begingroup%
\footnotesize%
\global\setbox\@tempboxa\hbox{\textbf{#1}\enspace #2}%
\endgroup%
\centering%
\ifdim \wd\@tempboxa>\tablewidth %
\parbox[t]{\tablewidth}{\footnotesize\textbf{#1}\enspace #2\vphantom{Ay}\par}%
\else
\hbox to\hsize{\hfill\box\@tempboxa\vphantom{Ay}\hfill}%
\fi%
\global\saved@tablewidth\tablewidth%
\global\tablewidth\hsize\vskip\belowcaptionskip}
%
%
%%****************** Algorithm
\newcounter{algorithm}
\if@secfloat
\@addtoreset{algorithm}{section}
\renewcommand \thealgorithm{\thesection.\@arabic\c@algorithm}
\else
\renewcommand \thealgorithm{\@arabic\c@algorithm}
\fi
\def\fps@algorithm{tbp}
\def\ftype@algorithm{4}
\def\ext@algorithm{loa}
\def\fnum@algorithm{\algorithmname~\thealgorithm.}
%
\newenvironment{algorithm}
{\let\@makecaption\@makealgorithmcaption%
\let\@floatboxreset\@algorithmboxreset\@float{algorithm}}
{\end@float}
\newenvironment{algorithm*}
{\let\@makecaption\@makealgorithmcaption%
\let\@floatboxreset\@algorithmboxreset\@dblfloat{algorithm}}
{\end@dblfloat}
\def\@algorithmboxreset{%
\reset@font%
\centering
\@setnobreak%
\@setminipage%
}
\long\def\@makealgorithmcaption#1#2{\vskip 2ex \small
\hbox to \hsize{\parbox[t]{\hsize}{{\bf #1} #2}}}
%
%%%% Program Code:
\def\programcode{%
\let\@makealgorithmcaption\@makefigurecaption
\def\algorithmname{Program Code}}
%********************* COMPATIBILITY WITH OLD LATEX:
\DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm}
\DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf}
\DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt}
\DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf}
\DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit}
\let\sl\it
\DeclareOldFontCommand{\sc}{\normalfont\scshape}{\@nomath\sc}
\DeclareRobustCommand*\cal{\@fontswitch\relax\mathcal}
\DeclareRobustCommand*\mit{\@fontswitch\relax\mathnormal}
%
% *********** MATH
%
\if@secthm
\@addtoreset{thm}{section}
\def\thethm{\thesection.\arabic{thm}}
\else
\def\thethm{\arabic{thm}}
\fi
%
%***************************** BIBLIOGRAPHY
\newenvironment{thebibliography}[1]
{\section*{\refname}\footnotesize\rmfamily\upshape%
\list{\@biblabel{\@arabic\c@enumiv}}%
{\settowidth\labelwidth{\@biblabel{#1}}%
\leftmargin\labelwidth
\setlength\labelsep{8\p@}
\advance\leftmargin\labelsep
\usecounter{enumiv}%
\let\p@enumiv\@empty
\renewcommand\theenumiv{\@arabic\c@enumiv}}%
\sloppy
\clubpenalty4000
\@clubpenalty \clubpenalty
\widowpenalty4000%
\sfcode`\.\@m}
{\def\@noitemerr
{\@latex@warning{Empty `thebibliography' environment}}%
\endlist}
%
\newcommand\newblock{\hskip .11em\@plus.33em\@minus.07em}
%
\def\@citex[#1]#2{%
\let\@citea\@empty
\@cite{\@for\@citeb:=#2\do
{\@citea\def\@citea{,\penalty\@m\hskip.1pt}%
\edef\@citeb{\expandafter\@firstofone\@citeb}%
\if@filesw\immediate\write\@auxout{\string\citation{\@citeb}}\fi
\@ifundefined{b@\@citeb}{\mbox{\reset@font\bfseries ?}%
\G@refundefinedtrue
\@latex@warning
{Citation `\@citeb' on page \thepage \space undefined}}%
{\hbox{\csname b@\@citeb\endcsname}}}}{#1}}
%****************************** FRONTMATTER *
%
\newtoks\t@glob@notes
\newtoks\t@loc@notes
\newcount\note@cnt
\newcounter{author}
\newcount\n@author
\def\n@author@{}
\newcounter{address}
%
\newcount\sv@hyphenpenalty
%
\newcount\prev@elem \prev@elem=0
\newcount\cur@elem \cur@elem=0
\chardef\e@pretitle=1
\chardef\e@title=1
\chardef\e@subtitle=1
\chardef\e@author=2
\chardef\e@address=3
%
\newif\if@newelem
\newif\if@firstauthor
\newif\if@preface
\newif\if@hasabstract
\newif\if@haskeywords
%
\newbox\fm@box
\newdimen\fm@size
\newbox\t@abstract
\newbox\t@keywords
%
\def\add@tok#1#2{\global#1\expandafter{\the#1#2}}
\def\add@xtok#1#2{\begingroup
\no@harm
\xdef\@act{\global\noexpand#1{\the#1#2}}\@act
\endgroup}
%
\def\tailthanksref[#1]#2{\noexpand\pthanksref{#1}}
\def\pthanksref#1{\global\advance\note@cnt\@ne\ifnum\note@cnt>\@ne
\global\t@loc@notes\expandafter{\the\t@loc@notes\note@sep}\fi
\global\t@loc@notes\expandafter{\the\t@loc@notes#1}}
%
\def\beg@elem{\global\t@loc@notes={}\global\note@cnt\z@}
\def\@xnamedef#1{\expandafter\xdef\csname #1\endcsname}
\def\no@harm{%
\let\\=\relax \let\rm\relax
\let\ss=\relax \let\ae=\relax \let\oe=\relax
\let\AE=\relax \let\OE=\relax
\let\o=\relax \let\O=\relax
\let\i=\relax \let\j=\relax
\let\aa=\relax \let\AA=\relax
\let\l=\relax \let\L=\relax
\let\d=\relax \let\b=\relax \let\c=\relax
\let\bar=\relax
\def\protect{\noexpand\protect\noexpand}}
%
\def\proc@elem#1#2{\begingroup
\no@harm
\def\thanks##1##{\@gobble}%
\def\thanksref##1##{\@gobble}%
\@xnamedef{@#1}{#2}%
\endgroup
\prev@elem=\cur@elem
\cur@elem=\csname e@#1\endcsname
\expandafter\elem@nothanksref#2\thanksref\relax%
\expandafter\elem@nothanks#2\thanks\relax}
%
\def\elem@nothanksref#1\thanksref{\futurelet\@peektok\elem@thanksref}
\def\elem@thanksref{\ifx\@peektok\relax
\else \expandafter\elem@morethanksref \fi}
\def\elem@morethanksref[#1]#2{\add@thanks{#1}\elem@nothanksref}
%
\def\elem@nothanks#1\thanks{\futurelet\@peektok\elem@thanks}
\def\elem@thanks{\ifx\@peektok\relax
\else \ifx\@peektok[ \expandafter\expandafter\expandafter\elem@morethankse
\else \expandafter\expandafter\expandafter\elem@morethanks \fi\fi}
%
\def\elem@morethankse[#1]#2{\thanks@optarg[#1]{#2}\add@thanks{#1}\elem@nothanks}
\def\elem@morethanks#1{\thanks@optarg[]{#1}\add@thanks{}\elem@nothanks}
%
\def\add@thanks#1{%
\global\advance\note@cnt\@ne
\ifnum\note@cnt>\@ne \add@xtok\t@loc@notes{\note@sep}\fi
\ifx.#1.\add@xtok\t@loc@notes{\thefootnote}\else
\add@xtok\t@loc@notes{#1}\fi%
}
\def\add@addressref#1{%
\global\advance\note@cnt\@ne
\ifnum\note@cnt>\@ne \add@xtok\t@loc@notes{\note@sep}\fi
\add@tok\t@loc@notes{\ref{#1}}%
}
\def\note@sep{,}
%
\def\thanks@optarg[#1]#2{%
\ifx.#1.\add@tok\t@glob@notes{\footnotetext}%
\else\add@tok\t@glob@notes{\freefootnotetext}\fi%
\refstepcounter{footnote}%
\ifx.#1.\add@xtok\t@glob@notes{[\the\c@footnote]}%
\else\add@xtok\t@glob@notes{[#1]}\fi%
\add@tok\t@glob@notes{{#2}}%
\ignorespaces}%
%
% FRONTMATTER
%
\def\artty#1{}
%
\newdimen\a@title@skip \a@title@skip=12\p@
\newskip\b@section@skip \b@section@skip=12\p@ plus6\p@ minus6\p@%
\newskip\b@pretitle@skip \b@pretitle@skip=6\p@
%
\def\frontmatter{%
\let\@corresp@note\relax
\global\t@glob@notes={}\global\c@author\z@
\global\c@address\z@
\global\n@author=0\n@author@\relax
\global\advance\n@author\m@ne
\global\@firstauthortrue
\global\@hasabstractfalse
\global\@prefacefalse
\parindent\z@
\open@fm \ignorespaces}
%
\def\preface{\@prefacetrue}
%
% ENDFRONTMATTER
%
\def\endfrontmatter{%
\global\n@author=\c@author \@writecount
\global\@topnum\z@
\ifx\@firstpage\@lastpage
\gdef\@pagerange{\@firstpage}
\else
\gdef\@pagerange{\@firstpage--\@lastpage}
\fi
% \thispagestyle{copyright}%
\if@twocolumn\else\output@glob@notes\fi
\if@preface
\@hasabstractfalse
\fi
\if@hasabstract
\normal@text
\vskip 18\p@
\centering
\leavevmode\box\t@abstract\par
\fi
\if@haskeywords
\normal@text
\if@hasabstract \vskip6pt\else\vskip18pt\fi
\centering
\leavevmode\box\t@keywords\par
\fi
\close@fm
\if@twocolumn\output@glob@notes\fi
\markboth{\@runauthor\@runtitle}{\@runauthor\@runtitle}%
\global\@prefacefalse
\global\leftskip\z@
\global\@rightskip\z@
\global\rightskip\@rightskip
% \global\c@footnote=0
\let\title\relax \let\author\relax
\let\address\relax
\let\frontmatter\relax \let\endfrontmatter\relax
\let\@maketitle\relax \let\@@maketitle\relax
\normal@text}
%
% Dvieju koloneliu zurnale per visa lapo ploti eina
% tik pretitle, title ir subtitle. Tam ivedame komanda
% \maketitle, kuri uzdaro box'a
\def\two@c@maketitle{%
\global\let\close@fm\relax%
\vskip\b@section@skip%
\par \egroup
\emergencystretch=1pc \twocolumn[\unvbox\fm@box]}
%
\if@restonecol
\let\maketitle\relax
\else
\let\maketitle\two@c@maketitle
\fi
%
%
\newdimen\t@xtheight
\def\init@settings{
\splittopskip=\topskip \splitmaxdepth=\maxdepth
\t@xtheight\textheight \advance\t@xtheight-\splittopskip}
%
\def\open@fm{
\global\setbox\fm@box=\vbox\bgroup
\hsize=\textwidth
\centering
\sv@hyphenpenalty\hyphenpenalty
\hyphenpenalty\@M}
%
\def\close@fm{%
\vskip\b@section@skip%
\par \egroup
\if@twocolumn\else%
\fm@size=\dp\fm@box \advance\fm@size by \ht\fm@box
\@whiledim\fm@size>\t@xtheight \do{%
\global\setbox\@tempboxa=\vsplit\fm@box to \t@xtheight
\unvbox\@tempboxa \newpage
\fm@size=\dp\fm@box \advance\fm@size by \ht\fm@box}
\fi%
\if@twocolumn
\emergencystretch=1pc \twocolumn[\unvbox\fm@box]
\else
\unvbox\fm@box
\fi}
%
\def\output@glob@notes{\bgroup
\the\t@glob@notes
\egroup}
%
\def\justify@off{\let\\=\@normalcr
\leftskip\z@ \@rightskip\@flushglue \rightskip\@rightskip}
\def\justify@on{\let\\=\@normalcr
\parfillskip\@flushglue%
\leftskip\z@ \@rightskip\z@ \rightskip\@rightskip}
%
\def\normal@text{\global\let\\=\@normalcr
\global\leftskip\z@ \global\@rightskip\z@ \global\rightskip\@rightskip
\global\parfillskip\@flushglue}
%
\def\@writecount{\write\@mainaux{\string\global
\string\@namedef{n@author@}{\the\n@author}}%
}
%
% TITLE
\def\pretitle#1{%
\vspace*{\b@pretitle@skip}\pretitle@size#1\par\vskip6\p@\hrule
\vskip12\p@}
%
\def\title#1{%
\beg@elem
\title@note@fmt
\add@tok\t@glob@notes
{\title@note@fmt}%
\proc@elem{title}{#1}%
\def\title@notes{\the\t@loc@notes}%
\title@fmt{\@title}{\title@notes}%
\ignorespaces}
%
\newdimen\@@topskip \@@topskip=24\p@
%
\def\title@fmt#1#2{%
\vspace*{\@@topskip}
{\title@size #1\hbox{$^{#2}$}\par}%
\vskip\a@title@skip%
}
%
\def\subtitle#1{%
\beg@elem
\proc@elem{subtitle}{#1}%
\def\title@notes{\the\t@loc@notes}%
\subtitle@fmt{\@subtitle}{\title@notes}%
\ignorespaces}
%
%
\def\subtitle@fmt#1#2{%
{\subtitle@size #1\,\hbox{$^{\mathrm{#2}}$}\par}%
\vskip\a@title@skip%
}
%
\def\title@note@fmt{\def\thefootnote{\arabic{footnote}}}
%
% AUTHOR
%
\newdimen\b@author@skip
\b@author@skip 12\p@
%
\def\author{\@ifnextchar[{\author@optarg}{\author@optarg[]}}
%
\def\author@optarg[#1]#2{\stepcounter{author}%
\beg@elem\def\degs##1{##1}\def\fnms##1{##1}\def\inits##1{##1}%
\def\snm##1{\MakeUppercase{##1}}\def\roles##1{##1}%
\if@firstauthor%
\first@author \global\@firstauthorfalse \fi%
\@for\@tempa:=#1\do{\expandafter\add@addressref\expandafter{\@tempa}}%
\proc@elem{author}{#2}%
\author@fmt{\the\c@author}{\the\t@loc@notes}{\@author}}%
%
%\newbox\author@box
%
\def\author@fmt#1#2#3{\@newelemtrue
\ifnum\prev@elem=\e@author \global\@newelemfalse \fi
\if@newelem \author@fmt@init \fi
\edef\@tempb{#2}\ifx\@tempb\@empty
\hbox{#3}\else
\hbox{#3\,$^{\mathrm{#2}}$}%
\fi}
%
\def\first@author{\author@note@fmt%
\add@tok\t@glob@notes%
{\author@note@fmt}}%
%
\def\author@fmt@init{%
\par
\vskip \b@author@skip
\authors@size\centering
\leavevmode}
%
\def\and{\unskip~and~}
%
\def\author@note@fmt{%
\def\thefootnote{\arabic{footnote}}}
%
\def\sxarabic#1{%
\expandafter\ifcase\value{#1} \or *\or **\or *** \or **** \or *****\fi
}
%
% ADDRESS
%
\def\email#1{{e-mail:\ #1}}
%
\def\address{\@ifstar{\address@star}%
{\@ifnextchar[{\address@optarg}{\address@noptarg}}}
%
\def\address@optarg[#1]#2{\refstepcounter{address}%
\beg@elem
\proc@elem{address}{#2}%
\address@fmt{\the\c@address}{\the\t@loc@notes}{\@address}\label{#1}%
\ignorespaces}
%
\def\address@noptarg#1{\refstepcounter{address}%
\beg@elem
\proc@elem{address}{#1}%
\address@fmt{\z@}{\the\t@loc@notes}{\@address}%
\ignorespaces}
%
\def\address@star#1{%
\beg@elem
\proc@elem{address}{#1}%
\address@fmt{\m@ne}{\the\t@loc@notes}{\@address}%
\ignorespaces}
%
\def\theaddress{\alph{address}}
%
\def\address@fmt#1#2#3{\@newelemtrue
\ifnum\prev@elem=\e@address \@newelemfalse \fi
\if@newelem \address@fmt@init \fi
\bgroup\parskip\z@\noindent\centering \address@size
\ifnum#1=\z@
#3\,$^{\mathrm{#2}}$\space%
\else
\ifnum#1=\m@ne
$^{\phantom{\mathrm{\theaddress}}\,}$#3\,$^{\mathrm{#2}}$%
\else
$^{\mathrm{\theaddress}\,}$#3\,$^{\mathrm{#2}}$%
\fi
\fi
\par\egroup}
%
\def\address@fmt@init{%
\def\@currentlabel{\theaddress}
\par
\vskip 2\p@ plus 1\p@ minus 1\p@}
%
% ABSTRACT
%
\def\abstract{\@ifnextchar[{\@abstract}{\@abstract[]}}
\def\@abstract[#1]{%
\global\@hasabstracttrue
\hyphenpenalty\sv@hyphenpenalty
\global\setbox\t@abstract=\vbox\bgroup
\linewidth\abstract@width
\hsize\abstract@width
\justify@on\abstract@size\parindent 1em
\abstract@indent\textbf{\abstractname}\ignorespaces}
\def\endabstract{\par\egroup}
%
% KEYWORDS
\def\sep{\unskip, }
\global\@haskeywordsfalse
\newdimen\dp@t@keywords
\def\keyword{\global\@haskeywordstrue%
\global\setbox\t@keywords=\vbox\bgroup%
\hsize\abstract@width%
\justify@on\abstract@size\parindent 0\p@
\textbf{\keywordsname}\ignorespaces
}
\def\endkeyword{\par\egroup\global\dp@t@keywords=\dp\t@keywords}
\def\keywords#1{\begin{keyword}#1\end{keyword}}
%
%
%
% Running title
\def\runningtitle#1{\gdef\@runtitle{#1}} \def\@runtitle{}
\def\runningauthor#1{{\def\etal{et al.}\gdef\@runauthor{#1\@runsep}}} \def\@runauthor{}
\def\runningsep#1{\gdef\@runsep{#1}}
\def\@runsep{\ /\ }
%
\def\journal#1{\gdef\@journal{#1}} \@ifundefined{@journal}{\gdef\@journal{Journal not defined}}{}
\def\volume#1{\gdef\@volume{#1}} \def\@volume{0}
\def\issue#1{\gdef\@issue{#1}} \def\@issue{0}
%
%
\newcount\@pubyear
\newcount\@copyear
\@pubyear=\number\year
\@copyear\@pubyear
\advance\@copyear-2000
\def\pubyear#1{\global\@pubyear#1
\global\@copyear\@pubyear
\global\advance\@copyear-2000%
\ignorespaces}
%
\def\the@copyear{\ifnum\@copyear<10 0\fi\the\@copyear}
%
\pubyear{2003}
%
\def\firstpage#1{\def\@tempa{#1}\ifx\@tempa\@empty\else
\gdef\@firstpage{#1}\gdef\@lastpage{#1}%
\global\c@page=#1 \ignorespaces\fi
}
\def\@firstpage{1}
\def\lastpage#1{\def\@tempa{#1}\ifx\@tempa\@empty\else
\gdef\@lastpage{#1}\ignorespaces\fi}
\def\@lastpage{0}
\def\@pagerange{1--0}
% Write the last page:
\def\write@last@page{%
\write\@mainaux{\string\global\string\@namedef{@lastpage}{\the\c@page}}}
\AtEndDocument{\write@last@page}
% SGML
\long\def\convertas#1#2{#2}
\def\sday#1{#1}\def\smonth#1{#1}\def\syear#1{#1}
\def\aid#1{\gdef\@aid{#1}}
%
\def\SSDI#1{\gdef\@ssdi{#1}} \def\@ssdi{000000-00}
\def\issn#1{\gdef\@issn{#1}}
\def\price#1{\gdef\@price{#1}}
%
\def\date#1{\gdef\@date{#1}} \def\@date{\today}
%
\def\empty@data{\@nil}
%
%***************** BACKMATTER
\newcommand\backmatter{\goodbreak}
%**************** INICIALIZATION
\newcommand\refname{References}
\newcommand\figurename{Figure}
\newcommand\tablename{Table}
\newcommand\algorithmname{Algorithm}
\newcommand\appendixname{Appendix}
\newcommand\abstractname{Abstract. }
\newcommand\keywordsname{Keywords. }
\def\acknowledgementsname{Acknowledgements}
%
\def\copyright@sign{\copyright}
%
% DIMENSIONS
\def\@articletypesize{\large}
\def\pretitle@size{\LARGE}
\def\title@size{\huge}
\def\subtitle@size{\large\itshape}
\def\authors@size{\normalsize}
\def\abstract@size{\footnotesize}
\def\abstract@width{22pc}
\def\abstract@indent{\noindent}
\def\address@size{\normalsize\itshape}
% Block preparation of contents:
\def\addcontentsline#1#2#3{}
\long\def\addtocontents#1#2{}
%
\newcommand\today{}
\edef\today{\ifcase\month\or
January\or February\or March\or April\or May\or June\or
July\or August\or September\or October\or November\or December\fi
\space\number\day, \number\year}
%
\@twosidetrue
\pagenumbering{arabic}
\frenchspacing
\init@settings
\if@twocolumn\setlength\tablewidth{\columnwidth}
\else\setlength\tablewidth{\textwidth}\fi
%\pagestyle{headings}
\pagestyle{empty}
\endinput
%%
%% End of file `IOS-Book-Article.cls'.
================================================
FILE: marktoberdorf_paper/DSE/cpp2.json
================================================
{ "name": "cpp2",
"extend": "cpp",
"extraKeywords": ["function","override","var","instanceof"]
}
================================================
FILE: marktoberdorf_paper/DSE/dse.bib
================================================
@article{King76,
author = {James C. King},
title = {Symbolic Execution and Program Testing},
journal = {Communications of the ACM},
volume = {19},
number = {7},
pages = {385–394},
year = {1976}
}
@article{Clarke76,
author = {Lori A. Clarke},
title = {A System to Generate Test Data and Symbolically Execute Programs},
journal = {{IEEE} Transactions on Software Engineering},
volume = {2},
number = {3},
pages = {215--222},
year = {1976}
}
@book{Dijkstra76,
author = {Edsger W. Dijkstra},
title = {A Discipline of Programming},
publisher = {Prentice-Hall},
year = {1976}
}
@article{Korel90,
author = {Bogdan Korel},
title = {Automated Software Test Data Generation},
journal = {{IEEE} Transactions on Software Engineering},
volume = {16},
number = {8},
pages = {870--879},
year = {1990}
}
@article{Korel92,
author = {Bogdan Korel},
title = {Dynamic Method of Software Test Data Generation},
journal = {Journal of Software Testing, Verification and Reliability},
volume = {2},
number = {4},
pages = {203--213},
year = {1992}
}
@inproceedings{Gupta00,
author = {Neelam Gupta and
Aditya P. Mathur and
Mary Lou Soffa},
title = {Generating Test Data for Branch Coverage},
booktitle = {Proceedings of the Automate Software Engineering Conference},
pages = {219--228},
year = {2000}
}
@inproceedings{GodefroidKS05,
author = {Patrice Godefroid and
Nils Klarlund and
Koushik Sen},
title = {{DART:} directed automated random testing},
booktitle = {Proceedings of the {ACM} {SIGPLAN} Conference on Programming
Language Design and Implementation},
pages = {213--223},
year = {2005}
}
@inproceedings{SenACAV06,
author = {Koushik Sen and
Gul Agha},
title = {{CUTE} and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking
Tools},
booktitle = {Proceedings of 18th Computer Aided Verification Conference},
pages = {419--423},
year = {2006}
}
@inproceedings{CadarE05,
author = {Cristian Cadar and
Dawson R. Engler},
title = {Execution Generated Test Cases: How to Make Systems Code Crash Itself},
booktitle = {Proceedings of 12th International {SPIN} Workshop},
pages = {2--23},
year = {2005}
}
@inproceedings{CadarGPDE06,
author = {Cristian Cadar and
Vijay Ganesh and
Peter M. Pawlowski and
David L. Dill and
Dawson R. Engler},
title = {{EXE:} automatically generating inputs of death},
booktitle = {Proceedings of the 13th {ACM} Conference on Computer and Communications
Security},
pages = {322--335},
year = {2006}
}
@inproceedings{CadarDE08,
author = {Cristian Cadar and
Daniel Dunbar and
Dawson R. Engler},
title = {{KLEE:} Unassisted and Automatic Generation of High-Coverage Tests
for Complex Systems Programs},
booktitle = {Proceedings of the 8th {USENIX} Symposium on Operating Systems Design and Implementation},
pages = {209--224},
year = {2008}
}
@inproceedings{deMouraB08,
author = {Leonardo Mendon{\c{c}}a de Moura and
Nikolaj Bj{\o}rner},
title = {{Z3:} An Efficient {SMT} Solver},
booktitle = {Proceedings of the 14th International Conference of Tools and Algorithms for the Construction and Analysis of Systems},
pages = {337--340},
year = {2008}
}
@inproceedings{Godefroid11,
author = {Patrice Godefroid},
title = {Higher-order test generation},
booktitle = {Proceedings of the {ACM} {SIGPLAN} Conference on Programming
Language Design and Implementation},
pages = {258--269},
year = {2011}
}
@article{GodefroidLM12,
author = {Patrice Godefroid and
Michael Y. Levin and
David A. Molnar},
title = {{SAGE:} whitebox fuzzing for security testing},
journal = {Communications of the {ACM}},
volume = {55},
number = {3},
pages = {40--44},
year = {2012}
}
@article{CadarS13,
author = {Cristian Cadar and
Koushik Sen},
title = {Symbolic execution for software testing: three decades later},
journal = {Communications of the {ACM}},
volume = {56},
number = {2},
pages = {82--90},
year = {2013}
}
================================================
FILE: marktoberdorf_paper/DSE/ignores.dic
================================================
================================================
FILE: marktoberdorf_paper/DSE/out/DSE.tex
================================================
\documentclass{IOS-Book-Article}
% generated by Madoko, version 0.9.3-beta
%mdk-data-line={1}
\usepackage[heading-base=2]{madoko}
\begin{document}
%mdk-begin-texraw
%mdk-data-line={25}
\begin{frontmatter} % The preamble begins here.
%\pretitle{Pretitle}
\title{Deconstructing Dynamic Symbolic Execution}
%\runningtitle{IOS Press Style Sample}
%\subtitle{Subtitle}
\author[A]{\fnms{Thomas} \snm{Ball}}
and
\author[B]{\fnms{Jakub} \snm{Daniel}}
\runningauthor{Thomas Ball et al.}
\address[A]{Microsoft Research}
\address[B]{Charles University}
\begin{mdDiv}[class={abstract},elem={abstract},data-line={39}]%
\begin{mdP}[data-line={40}]%
%mdk-data-line={40}
{}Dynamic symbolic execution (DSE) is a well-known technique
for automatically generating tests to achieve higher levels
of coverage in a program. Two keys ideas of DSE are
to: (1) seed symbolic execution by executing a program on an
initial input; (2) use concrete values from the program
execution in place of symbolic expressions whenever symbolic
reasoning is hard or not desired. We describe
DSE for a simple core language and then present
a minimalist implementation of DSE for Python (in Python)
that follows this basic recipe. The code is available
at https://www.github.com/thomasjball/PyExZ3/ (tagged %mdk-data-line={50}
{}{\textquotedblleft}v1.0{\textquotedblright}%mdk-data-line={50}
{})
and has been designed to make it easy to experiment with and
extend.%
\end{mdP}%%
\end{mdDiv}%
%mdk-begin-texraw
%mdk-data-line={56}
\begin{keyword}
Symbolic Execution, Automatic Test Generation, White-box Testing, Automated
Theorem Provers
\end{keyword}
\end{frontmatter}
\thispagestyle{empty}
\pagestyle{empty}
\mdHxx[id=sec-intro,label={[1]\{.heading-label\}},toc={},data-line={70},caption={[[1]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}Introduction},bookmark={1.{\hspace{0.5em}}Introduction}]{%mdk-data-line={70}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{1}.{\hspace{0.5em}}}%mdk-data-line={70}
{}Introduction}%mdk-data-line={73}
\defcommand{\mathkw}[1]{\textbf{#1}}
\begin{mdP}[data-line={78}]%
%mdk-data-line={78}
{}Static, path-based symbolic execution explores one control-flow path
at a time through a (sequential) program %mdk-data-line={79}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={79}
{}, using an automated theorem
prover (ATP) to determine if the current path %mdk-data-line={80}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={80}
{} is feasible%mdk-data-line={80}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{clarke76}{}{\mdSpan[class={bibitem-label}]{4}}, \mdA[class={bibref,localref},target-element={bibitem}]{king76}{}{\mdSpan[class={bibitem-label}]{11}}]}%mdk-data-line={80}
{}.
Ideally, symbolic execution of a path %mdk-data-line={81}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={81}
{} through program
%mdk-data-line={82}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={82}
{} yields a logic formula %mdk-data-line={82}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={82}
{} that describes the set of inputs %mdk-data-line={82}
{}\mdSpan[class={math-inline},elem={math-inline}]{$I$}%mdk-data-line={82}
{} (possibly empty)
to program %mdk-data-line={83}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={83}
{} such that for any %mdk-data-line={83}
{}\mdSpan[class={math-inline},elem={math-inline}]{$i \in I$}%mdk-data-line={83}
{}, the execution %mdk-data-line={83}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P(i)$}%mdk-data-line={83}
{} follows path %mdk-data-line={83}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={83}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={85}]%
%mdk-data-line={85}
{}If the formula %mdk-data-line={85}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={85}
{} is unsatisfiable then %mdk-data-line={85}
{}\mdSpan[class={math-inline},elem={math-inline}]{$I$}%mdk-data-line={85}
{} is empty and so path %mdk-data-line={85}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={85}
{} is not feasible;
if the formula is satisfiable then %mdk-data-line={86}
{}\mdSpan[class={math-inline},elem={math-inline}]{$I$}%mdk-data-line={86}
{} is not empty and so path %mdk-data-line={86}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={86}
{} is feasible.
In this case, a model of %mdk-data-line={87}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={87}
{} provides a witness %mdk-data-line={87}
{}\mdSpan[class={math-inline},elem={math-inline}]{$i \in I$}%mdk-data-line={87}
{}. Thus, a model-generating ATP
can be used in conjunction with
symbolic execution to automatically generate tests to cover paths
in a program. Combined with a search strategy, one gets, in the limit,
an exhaustive white-box testing procedure, for which there are many
applications%mdk-data-line={92}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{cadars13}{}{\mdSpan[class={bibitem-label}]{2}}, \mdA[class={bibref,localref},target-element={bibitem}]{cadargpde06}{}{\mdSpan[class={bibitem-label}]{3}}, \mdA[class={bibref,localref},target-element={bibitem}]{godefroidlm12}{}{\mdSpan[class={bibitem-label}]{9}}]}%mdk-data-line={92}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={94}]%
%mdk-data-line={94}
{}The formula %mdk-data-line={94}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={94}
{} is called a %mdk-data-line={94}
{}\mdEm{path-condition}%mdk-data-line={94}
{} of the path %mdk-data-line={94}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={94}
{}.
We will see that a given path %mdk-data-line={95}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={95}
{} can induce many different path-conditions.
A path-condition %mdk-data-line={96}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\psi_p$}%mdk-data-line={96}
{} for path %mdk-data-line={96}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={96}
{} is %mdk-data-line={96}
{}\mdEm{sound}%mdk-data-line={96}
{} if
every input assignment satisfying %mdk-data-line={97}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\psi_p$}%mdk-data-line={97}
{} defines an
execution of program %mdk-data-line={98}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={98}
{} that follows path %mdk-data-line={98}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={98}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{godefroid11}{}{\mdSpan[class={bibitem-label}]{7}}]}%mdk-data-line={98}
{}.
By its definition, the formula %mdk-data-line={99}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={99}
{} is sound and the best representation of %mdk-data-line={99}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={99}
{}
(as for all sound path-conditions %mdk-data-line={100}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\psi_p$}%mdk-data-line={100}
{}, we have that %mdk-data-line={100}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\psi_p \implies \phi_p$}%mdk-data-line={100}
{}).
In practice, we attempt to compute sound under-approximations of %mdk-data-line={101}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={101}
{}
such as %mdk-data-line={102}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\psi_p$}%mdk-data-line={102}
{}. However, we also find it necessary (and useful) to
compute unsound path-conditions.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={105}]%
%mdk-data-line={105}
{}A path-condition can be translated into the input
language of an ATP, such as%mdk-data-line={106}
{}{\mdNbsp}\mdA[data-linkid={z3}]{http://z3.codeplex.org/}{}{Z3}%mdk-data-line={106}
{}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{demourab08}{}{\mdSpan[class={bibitem-label}]{5}}]}%mdk-data-line={106}
{}, which provides an answer
of %mdk-data-line={107}
{}{\textquotedblleft}unsatisfiable{\textquotedblright}%mdk-data-line={107}
{}, %mdk-data-line={107}
{}{\textquotedblleft}satisfiable{\textquotedblright}%mdk-data-line={107}
{} or %mdk-data-line={107}
{}{\textquotedblleft}unknown{\textquotedblright}%mdk-data-line={107}
{}, due to theoretical or practical
limitations in automatically deciding satisfiability of various logics.
In the case that the ATP is able to prove %mdk-data-line={109}
{}{\textquotedblleft}satisfiable{\textquotedblright}%mdk-data-line={109}
{} we can query it for
satisfying model in order to generate test inputs. A path-condition
for %mdk-data-line={111}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={111}
{} can be thought of as function from a
program%mdk-data-line={112}
{}{'}%mdk-data-line={112}
{}s primary inputs to a Boolean output representing whether
or not %mdk-data-line={113}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={113}
{} is executed under a given input. Thus, we are asking
the ATP to invert a function when we ask it to decide
the satisfiability/unsatisfiability of a path-condition.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={117}]%
%mdk-data-line={117}
{}The static translation of a path %mdk-data-line={117}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={117}
{} through a program %mdk-data-line={117}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={117}
{} into
the most precise path-condition %mdk-data-line={118}
{}\mdSpan[class={math-inline},elem={math-inline}]{$\phi_p$}%mdk-data-line={118}
{} is not a simple task, as
programming languages and their semantics are very complex.
Completely characterizing the set of inputs %mdk-data-line={120}
{}\mdSpan[class={math-inline},elem={math-inline}]{$I$}%mdk-data-line={120}
{} that follow
path %mdk-data-line={121}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={121}
{} means providing a symbolic interpretation of
every operation in the language so that the
ATP can reason about it. For example, consider a method call in Python.
Python%mdk-data-line={124}
{}{'}%mdk-data-line={124}
{}s algorithm for method resolution order (see%mdk-data-line={124}
{}{\mdNbsp}\mdA[data-linkid={mro}]{https://www.python.org/download/releases/2.3/mro/}{}{MRO}%mdk-data-line={124}
{})
depends on the inheritance hierarchy of the program, a directed,
acyclic graph that can evolve during program execution. Symbolically
encoding Python%mdk-data-line={127}
{}{'}%mdk-data-line={127}
{}s method resolution order is possible but non-trivial.
There are other reasons it is hard or undesirable to symbolically
execute various operations, as will be explained in detail later.%
\end{mdP}%
\mdHxxx[id=sec-dynamic-symbolic-execution,label={[1.1]\{.heading-label\}},toc={},data-line={131},caption={[[1.1]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}Dynamic symbolic execution},bookmark={1.1.{\hspace{0.5em}}Dynamic symbolic execution}]{%mdk-data-line={131}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{1.1}.{\hspace{0.5em}}}%mdk-data-line={131}
{}Dynamic symbolic execution}\begin{mdP}[data-line={133}]%
%mdk-data-line={133}
{}\mdEm{Dynamic}%mdk-data-line={133}
{} symbolic execution (DSE) is a form of path-based
symbolic execution based on two insights. First, the approach
starts by executing program %mdk-data-line={135}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={135}
{} on
some input %mdk-data-line={136}
{}\mdSpan[class={math-inline},elem={math-inline}]{$i$}%mdk-data-line={136}
{}, seeding the symbolic execution process
with a feasible path%mdk-data-line={137}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{gupta00}{}{\mdSpan[class={bibitem-label}]{10}}, \mdA[class={bibref,localref},target-element={bibitem}]{korel90}{}{\mdSpan[class={bibitem-label}]{12}}, \mdA[class={bibref,localref},target-element={bibitem}]{korel92}{}{\mdSpan[class={bibitem-label}]{13}}]}%mdk-data-line={137}
{}.
Second, DSE
uses concrete values from the execution %mdk-data-line={139}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P(i)$}%mdk-data-line={139}
{} in place of symbolic expressions
whenever symbolic reasoning is not possible or desired%mdk-data-line={140}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{cadare05}{}{\mdSpan[class={bibitem-label}]{1}}, \mdA[class={bibref,localref},target-element={bibitem}]{godefroidks05}{}{\mdSpan[class={bibitem-label}]{8}}]}%mdk-data-line={140}
{}.
The major benefit of DSE is to
simplify the construction of a symbolic execution tool by
leveraging concrete execution behavior (given by
actually running the program).
As DSE combines both
concrete and symbolic reasoning, it also has been called %mdk-data-line={146}
{}{\textquotedblleft}concolic{\textquotedblright}%mdk-data-line={146}
{}
execution%mdk-data-line={147}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{senacav06}{}{\mdSpan[class={bibitem-label}]{14}}]}%mdk-data-line={147}
{}.%
\end{mdP}%
\begin{mdDiv}[class={figure,floating,align-center},id=fig-dse,label={[1]\{.figure-label\}},elem={figure},toc-line={[1]\{.figure-label\}. Pseudo-code for dynamic symbolic execution},toc={tof},float-env={figure},float-name={Figure},caption={Pseudo-code for dynamic symbolic execution},data-line={149}]%
\begin{mdPre}[class={para-block,pre-fenced,pre-fenced3,language-python,lang-python,python,highlighted},language={python},data-line={150},data-line-code={151}]%
\mdPrecode[data-line={151}]{{\preindent{2}}\mdToken{Identifier,Python}{i}{\prespace{1}}\mdToken{Keyword,Python}{=}{\prespace{1}}\mdToken{Identifier,Python}{an}{\prespace{1}}\mdToken{Identifier,Python}{input}{\prespace{1}}\mdToken{Identifier,Python}{to}{\prespace{1}}\mdToken{Identifier,Python}{program}{\prespace{1}}\mdToken{Constructor,Identifier,Python}{P}\prebr{}
{\preindent{2}}\mdToken{Keyword,Python}{while}{\prespace{1}}\mdToken{Identifier,Python}{defined}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{i}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{5}}\mdToken{Identifier,Python}{p}{\prespace{1}}\mdToken{Keyword,Python}{=}{\prespace{1}}\mdToken{Identifier,Python}{path}{\prespace{1}}\mdToken{Identifier,Python}{covered}{\prespace{1}}\mdToken{Identifier,Python}{by}{\prespace{1}}\mdToken{Identifier,Python}{execution}{\prespace{1}}\mdToken{Constructor,Identifier,Python}{P}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{i}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\prebr{}
{\preindent{5}}\mdToken{Identifier,Python}{cond}{\prespace{1}}\mdToken{Keyword,Python}{=}{\prespace{1}}\mdToken{Identifier,Python}{pathCondition}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{p}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\prebr{}
{\preindent{5}}\mdToken{Identifier,Python}{s}{\prespace{1}}\mdToken{Keyword,Python}{=}{\prespace{1}}\mdToken{Constructor,Identifier,Python}{ATP}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Namespace,Identifier,Python}{Not}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{cond}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\prebr{}
{\preindent{5}}\mdToken{Identifier,Python}{i}{\prespace{1}}\mdToken{Keyword,Python}{=}{\prespace{1}}\mdToken{Identifier,Python}{s}\mdToken{Delimiter,Python}{.}\mdToken{Identifier,Python}{model}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%
\end{mdPre}%
\mdHr[class={figureline,madoko},data-line={158}]{}\begin{mdDiv}[data-line={159}]%
%mdk-data-line={159}
{}\mdSpan[class={figure-caption}]{\mdSpan[class={caption-before}]{\mdStrong{Figure{\mdNbsp}\mdSpan[class={figure-label}]{1}.} }Pseudo-code for dynamic symbolic execution}%mdk-data-line={159}
{}%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[class={indent},data-line={160}]%
%mdk-data-line={160}
{}The pseudo-code of Figure%mdk-data-line={160}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-dse}{}{\mdSpan[class={figure-label}]{1}}%mdk-data-line={160}
{} shows the high level process
of DSE. The variable %mdk-data-line={161}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{i}}%mdk-data-line={161}
{} represents an input
to program %mdk-data-line={162}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Constructor,Identifier,Python}{P}}%mdk-data-line={162}
{}. Execution of program %mdk-data-line={162}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Constructor,Identifier,Python}{P}}%mdk-data-line={162}
{} on the input %mdk-data-line={162}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{i}}%mdk-data-line={162}
{}
traces a path %mdk-data-line={163}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{p}}%mdk-data-line={163}
{}, from which
a logical formula %mdk-data-line={164}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{pathCondition}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{p}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={164}
{} is constructed.
Finally, the ATP is called with the negation of the path-condition
to find a new input (that hopefully will cover a new path). This
pseudo-code elides a number of details that we will deal with later.%
\end{mdP}%
\begin{mdDiv}[class={figure,floating,align-center},id=fig-easy-dse,label={[2]\{.figure-label\}},elem={figure},toc-line={[2]\{.figure-label\}. Easy example: computing the maximum of four numbers in Python.},toc={tof},float-env={figure},float-name={Figure},caption={Easy example: computing the maximum of four numbers in Python.},data-line={169}]%
\begin{mdPre}[class={para-block,pre-fenced,pre-fenced3,language-python,lang-python,python,highlighted},language={python},data-line={170},data-line-code={171}]%
\mdPrecode[data-line={171}]{\mdToken{Keyword,Python}{def}{\prespace{1}}\mdToken{Identifier,Python}{max2}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{s}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{t}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{4}}\mdToken{Keyword,Python}{if}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{s}{\prespace{1}}\mdToken{Operator,Python}{{\textless}}{\prespace{1}}\mdToken{Identifier,Python}{t}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{8}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{Identifier,Python}{t}\prebr{}
{\preindent{4}}\mdToken{Keyword,Python}{else}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{8}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{Identifier,Python}{s}\prebr{}
\prebr{}
\mdToken{Keyword,Python}{def}{\prespace{1}}\mdToken{Identifier,Python}{max4}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{4}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{Identifier,Python}{max2}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{max2}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{max2}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%
\end{mdPre}%
\mdHr[class={figureline,madoko},data-line={180}]{}\begin{mdDiv}[data-line={181}]%
%mdk-data-line={181}
{}\mdSpan[class={figure-caption}]{\mdSpan[class={caption-before}]{\mdStrong{Figure{\mdNbsp}\mdSpan[class={figure-label}]{2}.} }Easy example: computing the maximum of four numbers in Python.}%mdk-data-line={181}
{}%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[class={indent,para-continue},data-line={182}]%
%mdk-data-line={182}
{}Consider the Python function %mdk-data-line={182}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{max4}}%mdk-data-line={182}
{} in Figure%mdk-data-line={182}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-easy-dse}{}{\mdSpan[class={figure-label}]{2}}%mdk-data-line={182}
{},
which computes the maximum of four numbers via three calls to
the function %mdk-data-line={184}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{max2}}%mdk-data-line={184}
{}. Suppose we execute %mdk-data-line={184}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{max4}}%mdk-data-line={184}
{} with values
of zero for all four arguments. In this case, the
execution path %mdk-data-line={186}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={186}
{} contains three comparisons (in the order %mdk-data-line={186}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}{\prespace{1}}\mdToken{Operator,Python}{{\textless}}{\prespace{1}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={186}
{},
%mdk-data-line={187}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}{\prespace{1}}\mdToken{Operator,Python}{{\textless}}{\prespace{1}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={187}
{}, %mdk-data-line={187}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}{\prespace{1}}\mdToken{Operator,Python}{{\textless}}{\prespace{1}}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={187}
{}), all of which evaluate false.
Thus, the path-condition for path %mdk-data-line={188}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={188}
{} is %mdk-data-line={188}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Keyword,Python}{not}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Keyword,Python}{not}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Keyword,Python}{not}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}{\prespace{1}}\mdToken{Operator,Python}{{\textless}}{\prespace{1}}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={188}
{}.
Negating this condition yields %mdk-data-line={189}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{or}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{or}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={189}
{}.
Taking the execution ordering of the three comparisons into account, we
derive three expressions from the negated path-condition to generate
new inputs that will explore execution prefixes of path %mdk-data-line={192}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={192}
{} of increasing length:%
\end{mdP}%
\begin{mdUl}[class={ul,list-star,compact},elem={ul},data-line={194}]%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(1)]\{.ul-li-label\}},elem={li},data-line={194}]%
%mdk-data-line={194}
{}\mdEm{length 0}%mdk-data-line={194}
{}: %mdk-data-line={194}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={194}
{}%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(2)]\{.ul-li-label\}},elem={li},data-line={195}]%
%mdk-data-line={195}
{}\mdEm{length 1}%mdk-data-line={195}
{}: %mdk-data-line={195}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Keyword,Python}{not}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={195}
{}%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(3)]\{.ul-li-label\}},elem={li},data-line={196}]%
%mdk-data-line={196}
{}\mdEm{length 2}%mdk-data-line={196}
{}: %mdk-data-line={196}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Keyword,Python}{not}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Keyword,Python}{not}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={196}
{}%
\end{mdLi}%%
\end{mdUl}%
\begin{mdP}[class={para-continue},data-line={198}]%
%mdk-data-line={198}
{}The purpose of taking execution order into account should be clear, as the
comparison %mdk-data-line={199}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={199}
{} only executes in the case where %mdk-data-line={199}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Keyword,Python}{not}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Keyword,Python}{not}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={199}
{}
holds. Integer solutions to the above three systems of constraints are:%
\end{mdP}%
\begin{mdUl}[class={ul,list-star,compact},elem={ul},data-line={202}]%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(1)]\{.ul-li-label\}},elem={li},data-line={202}]%
%mdk-data-line={202}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{a}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{b}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{2}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{c}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{d}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}}%mdk-data-line={202}
{}%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(2)]\{.ul-li-label\}},elem={li},data-line={203}]%
%mdk-data-line={203}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{a}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{b}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{c}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{d}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{3}}%mdk-data-line={203}
{}%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(3)]\{.ul-li-label\}},elem={li},data-line={204}]%
%mdk-data-line={204}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{a}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{b}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{c}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{2}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{d}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{0}}%mdk-data-line={204}
{}%
\end{mdLi}%%
\end{mdUl}%
\begin{mdP}[data-line={206}]%
%mdk-data-line={206}
{}In the three cases above, we sought solutions that kept as many of
the variables as possible equal to the original input (in which
all variables are equal to 0). Execution of the %mdk-data-line={208}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{max4}}%mdk-data-line={208}
{} function
on the input corresponding to the first solution produces the path-condition
%mdk-data-line={210}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{a}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{b}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Keyword,Python}{not}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{c}\mdToken{Operator,Python}{{\textless}}\mdToken{Identifier,Python}{d}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Keyword,Python}{not}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{b}{\prespace{1}}\mdToken{Operator,Python}{{\textless}}{\prespace{1}}\mdToken{Identifier,Python}{c}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={210}
{}, from which we can produce more
inputs. For this (loop-free function), there are a finite number
of path-conditions. We leave it as an exercise to the reader to
enumerate them all.%
\end{mdP}%
\mdHxxx[id=sec-leveraging-concrete-values-in-dse,label={[1.2]\{.heading-label\}},toc={},data-line={215},caption={[[1.2]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}Leveraging concrete values in DSE},bookmark={1.2.{\hspace{0.5em}}Leveraging concrete values in DSE}]{%mdk-data-line={215}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{1.2}.{\hspace{0.5em}}}%mdk-data-line={215}
{}Leveraging concrete values in DSE}\begin{mdP}[data-line={217}]%
%mdk-data-line={217}
{}We now consider several situations where we can make use of concrete
values in DSE. In the realm of (unbounded-precision) integer arithmetic
(e.g., bignum integer arithmetic, as in Python 3.0 onwards),
it is easy to come up with tiny programs that will be %mdk-data-line={220}
{}\mdEm{very difficult}%mdk-data-line={220}
{},
if not %mdk-data-line={221}
{}\mdEm{impossible}%mdk-data-line={221}
{},
for any symbolic execution tool to deal with, such as the function %mdk-data-line={222}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fermat3}}%mdk-data-line={222}
{}
in Figure%mdk-data-line={223}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-fermat3}{}{\mdSpan[class={figure-label}]{3}}%mdk-data-line={223}
{}.%mdk-data-line={223}
{} %mdk-data-line={223}
{}%
\end{mdP}%
\begin{mdDiv}[class={figure,floating,align-center},id=fig-fermat3,label={[3]\{.figure-label\}},elem={figure},toc-line={[3]\{.figure-label\}. Hard example for symbolic execution},toc={tof},float-env={figure},float-name={Figure},caption={Hard example for symbolic execution},data-line={226}]%
\begin{mdPre}[class={para-block,pre-fenced,pre-fenced3,language-python,lang-python,python,highlighted},language={python},data-line={227},data-line-code={228}]%
\mdPrecode[data-line={228}]{\mdToken{Keyword,Python}{def}{\prespace{1}}\mdToken{Identifier,Python}{fermat3}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{z}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{3}}\mdToken{Keyword,Python}{if}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}{\prespace{1}}\mdToken{Operator,Python}{{\textgreater}}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{y}{\prespace{1}}\mdToken{Operator,Python}{{\textgreater}}{\prespace{1}}\mdToken{Number,Python}{0}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Identifier,Python}{z}{\prespace{1}}\mdToken{Operator,Python}{{\textgreater}}{\prespace{1}}\mdToken{Number,Python}{0}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{6}}\mdToken{Keyword,Python}{if}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{x}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{x}{\prespace{1}}\mdToken{Operator,Python}{+}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{y}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{y}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{z}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{z}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{z}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{10}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{String,Delim,Python,BracketOpen}{{"}}\mdToken{String,Python}{Fermat\prespace{1}and\prespace{1}Wiles\prespace{1}were\prespace{1}wrong!?!}\mdToken{String,Delim,Python,BracketClose}{{"}}\prebr{}
{\preindent{3}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{Number,Python}{0}}%
\end{mdPre}%
\mdHr[class={figureline,madoko},data-line={234}]{}\begin{mdDiv}[data-line={235}]%
%mdk-data-line={235}
{}\mdSpan[class={figure-caption}]{\mdSpan[class={caption-before}]{\mdStrong{Figure{\mdNbsp}\mdSpan[class={figure-label}]{3}.} }Hard example for symbolic execution}%mdk-data-line={235}
{}%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[class={indent},data-line={237}]%
%mdk-data-line={237}
{}Fermat%mdk-data-line={237}
{}{'}%mdk-data-line={237}
{}s Last Theorem, proved
by Andrew Wiles in the late 20th century, states that no
three positive integers %mdk-data-line={239}
{}\mdSpan[class={math-inline},elem={math-inline}]{$x$}%mdk-data-line={239}
{}, %mdk-data-line={239}
{}\mdSpan[class={math-inline},elem={math-inline}]{$y$}%mdk-data-line={239}
{}, and %mdk-data-line={239}
{}\mdSpan[class={math-inline},elem={math-inline}]{$z$}%mdk-data-line={239}
{} can satisfy the equation
%mdk-data-line={240}
{}\mdSpan[class={math-inline},elem={math-inline}]{$x^n + y^n = z^n$}%mdk-data-line={240}
{} for any integer value of %mdk-data-line={240}
{}\mdSpan[class={math-inline},elem={math-inline}]{$n$}%mdk-data-line={240}
{} greater than two.
The function %mdk-data-line={241}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fermat3}}%mdk-data-line={241}
{} encodes this statement for %mdk-data-line={241}
{}\mdSpan[class={math-inline},elem={math-inline}]{$n=3$}%mdk-data-line={241}
{}. It
is not reasonable to have a computer waste time trying to find
a solution that would cause %mdk-data-line={243}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fermat3}}%mdk-data-line={243}
{} to print the string
%mdk-data-line={244}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{String,Delim,Python,BracketOpen}{{"}}\mdToken{String,Python}{Fermat\prespace{1}and\prespace{1}Wiles\prespace{1}were\prespace{1}wrong!?!}\mdToken{String,Delim,Python,BracketClose}{{"}}}%mdk-data-line={244}
{}. In cases of complex (non-linear)
arithmetic operations,
such as %mdk-data-line={246}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{x}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{x}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{x}}%mdk-data-line={246}
{}, we might choose to handle the operation concretely.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={248}]%
%mdk-data-line={248}
{}There are a number of ways to deal with the above issue: one is
to recognize all non-linear terms in a symbolic expression and replace
them with their concrete counterparts during execution. For the %mdk-data-line={250}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fermat3}}%mdk-data-line={250}
{}
example, this would mean that during DSE the symbolic expression
%mdk-data-line={252}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{x}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{x}{\prespace{1}}\mdToken{Operator,Python}{+}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{y}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{y}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{z}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{z}\mdToken{Operator,Python}{*}\mdToken{Identifier,Python}{z}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={252}
{} would be reduced to the constant %mdk-data-line={252}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Namespace,Identifier,Python}{False}}%mdk-data-line={252}
{}
by evaluation on the concrete values of variables %mdk-data-line={253}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{x}}%mdk-data-line={253}
{}, %mdk-data-line={253}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{y}}%mdk-data-line={253}
{} and %mdk-data-line={253}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{z}}%mdk-data-line={253}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={255}]%
%mdk-data-line={255}
{}Besides difficult operations (such as non-linear arithmetic),
other examples of code that we might treat
concretely instead of symbolically include
functions that are hard to invert, such as cryptographic hash functions,
or low-level functions that we do not wish to test (such as
operating system functions). Consider
the code in Figure%mdk-data-line={261}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-hash}{}{\mdSpan[class={figure-label}]{4}}%mdk-data-line={261}
{}, which applies the function
%mdk-data-line={262}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{unknown}}%mdk-data-line={262}
{} to argument %mdk-data-line={262}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{x}}%mdk-data-line={262}
{} and compares it to argument %mdk-data-line={262}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{y}}%mdk-data-line={262}
{}.
By using the name %mdk-data-line={263}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{unknown}}%mdk-data-line={263}
{} we simply mean to say that we
wish to model this function as a black box, with no knowledge
of how it operates internally.%
\end{mdP}%
\begin{mdDiv}[class={figure,floating,align-center},id=fig-hash,label={[4]\{.figure-label\}},elem={figure},toc-line={[4]\{.figure-label\}. Another hard example for symbolic execution},toc={tof},float-env={figure},float-name={Figure},caption={Another hard example for symbolic execution},data-line={267}]%
\begin{mdPre}[class={para-block,pre-fenced,pre-fenced3,language-python,lang-python,python,highlighted},language={python},data-line={268},data-line-code={269}]%
\mdPrecode[data-line={269}]{\mdToken{Keyword,Python}{def}{\prespace{1}}\mdToken{Identifier,Python}{dart}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}\mdToken{Delimiter,Python}{,}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{2}}\mdToken{Keyword,Python}{if}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{unknown}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}\mdToken{Keyword,Python,BracketOpen}{:}\prebr{}
{\preindent{5}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{Number,Python}{1}\prebr{}
{\preindent{2}}\mdToken{Keyword,Python}{return}{\prespace{1}}\mdToken{Number,Python}{0}}%
\end{mdPre}%
\mdHr[class={figureline,madoko},data-line={274}]{}\begin{mdDiv}[data-line={275}]%
%mdk-data-line={275}
{}\mdSpan[class={figure-caption}]{\mdSpan[class={caption-before}]{\mdStrong{Figure{\mdNbsp}\mdSpan[class={figure-label}]{4}.} }Another hard example for symbolic execution}%mdk-data-line={275}
{}%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[class={indent},data-line={276}]%
%mdk-data-line={276}
{}In such a case, we can use DSE to execute the function %mdk-data-line={276}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{unknown}}%mdk-data-line={276}
{}
on a specific input (say %mdk-data-line={277}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Number,Python}{5013}}%mdk-data-line={277}
{}) and observe its output
(say %mdk-data-line={278}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Number,Python}{42}}%mdk-data-line={278}
{}). That is, rather than execute %mdk-data-line={278}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{unknown}}%mdk-data-line={278}
{} symbolically
and invoke an ATP to invert the function%mdk-data-line={279}
{}{'}%mdk-data-line={279}
{}s path-condition, we
simply treat the call to %mdk-data-line={280}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{unknown}}%mdk-data-line={280}
{} concretely, substituting
its return value (in this case %mdk-data-line={281}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Number,Python}{42}}%mdk-data-line={281}
{}) for the specialized expression
%mdk-data-line={282}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{unknown}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Number,Python}{5013}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{y}}%mdk-data-line={282}
{} to get the predicate %mdk-data-line={282}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Number,Python}{42}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={282}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={284}]%
%mdk-data-line={284}
{}Adding the constraint %mdk-data-line={284}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{5013}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={284}
{} yields the sound but
rather specific path-condition
%mdk-data-line={286}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Number,Python}{5013}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Keyword,Python}{and}{\prespace{1}}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Number,Python}{42}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={286}
{}.
Note that the path-condition %mdk-data-line={287}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Number,Python}{42}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={287}
{} is not sound, as it admits
any value for the variable %mdk-data-line={288}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{x}}%mdk-data-line={288}
{}, which likely includes many values
for which %mdk-data-line={289}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{unknown}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{x}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Python}{==}{\prespace{1}}\mdToken{Identifier,Python}{y}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={289}
{} is false.%
\end{mdP}%
\mdHxxx[id=sec-overview,label={[1.3]\{.heading-label\}},toc={},data-line={291},caption={[[1.3]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}Overview},bookmark={1.3.{\hspace{0.5em}}Overview}]{%mdk-data-line={291}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{1.3}.{\hspace{0.5em}}}%mdk-data-line={291}
{}Overview}\begin{mdP}[class={para-continue},data-line={293}]%
%mdk-data-line={293}
{}This introduction elides many important
issues that arise in implementing DSE for a real language, which we will
focus on in the remainder of the paper. These include how to:%
\end{mdP}%
\begin{mdUl}[class={ul,list-star,compact},elem={ul},data-line={297}]%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(1)]\{.ul-li-label\}},elem={li},data-line={297}]%
%mdk-data-line={297}
{}Identify the code under test %mdk-data-line={297}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={297}
{} and the symbolic inputs to %mdk-data-line={297}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={297}
{};%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(2)]\{.ul-li-label\}},elem={li},data-line={298}]%
%mdk-data-line={298}
{}Trace the control flow path %mdk-data-line={298}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={298}
{} taken by execution %mdk-data-line={298}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P(i)$}%mdk-data-line={298}
{};%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(3)]\{.ul-li-label\}},elem={li},data-line={299}]%
%mdk-data-line={299}
{}Reinterpret program operations to compute symbolic expressions;%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(4)]\{.ul-li-label\}},elem={li},data-line={300}]%
%mdk-data-line={300}
{}Generate a path-condition from %mdk-data-line={300}
{}\mdSpan[class={math-inline},elem={math-inline}]{$p$}%mdk-data-line={300}
{} and the symbolic expressions;%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(5)]\{.ul-li-label\}},elem={li},data-line={301}]%
%mdk-data-line={301}
{}Generate a new input %mdk-data-line={301}
{}\mdSpan[class={math-inline},elem={math-inline}]{$i'$}%mdk-data-line={301}
{} by negating (part of) the path-condition, translating
the path-condition to the input language of an ATP, invoking the ATP, and
lifting a satisfying model (if any) back up to the source level;%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,compact-li},label={[(6)]\{.ul-li-label\}},elem={li},data-line={304}]%
%mdk-data-line={304}
{}Guide the search to expose new paths.%
\end{mdLi}%%
\end{mdUl}%
\begin{mdP}[data-line={306}]%
%mdk-data-line={306}
{}The rest of this paper is organized as follows. Section%mdk-data-line={306}
{}{\mdNbsp}\mdA[class={localref},target-element={h1}]{sec-semantics}{}{\mdSpan[class={heading-label}]{2}}%mdk-data-line={306}
{}
describes an instrumented typing discipline where we lift each type (representing
a set of concrete values) to a symbolic type (representing
a set of pairs of concrete and symbolic values).
Section%mdk-data-line={310}
{}{\mdNbsp}\mdA[class={localref},target-element={h1}]{sec-sp2dse}{}{\mdSpan[class={heading-label}]{3}}%mdk-data-line={310}
{} shows how strongest postconditions defines a symbolic
semantics for a small programming language and how strongest postconditions
can be refined to model DSE.
Section%mdk-data-line={313}
{}{\mdNbsp}\mdA[class={localref},target-element={h1}]{sec-impl}{}{\mdSpan[class={heading-label}]{4}}%mdk-data-line={313}
{} describes an implementation of DSE for the Python language
in the Python language that follows the instrumented semantics pattern closely
(full implementation and tests available at%mdk-data-line={315}
{}{\mdNbsp}\mdA[data-linkid={pyexz3}]{https://github.com/thomasjball/PyExZ3/}{}{PyExZ3}%mdk-data-line={315}
{}, tagged %mdk-data-line={315}
{}{\textquotedblleft}v1.0{\textquotedblright}%mdk-data-line={315}
{}).
Section%mdk-data-line={316}
{}{\mdNbsp}\mdA[class={localref},target-element={h1}]{sec-int2z3}{}{\mdSpan[class={heading-label}]{5}}%mdk-data-line={316}
{} describes the symbolic encoding of Python integer
operations using two decision procedures of Z3: linear arithmetic with
uninterpreted functions in place of non-linear operations;
fixed-width bit-vectors with precise encodings of most operations.
Section%mdk-data-line={320}
{}{\mdNbsp}\mdA[class={localref},target-element={h1}]{sec-extensions}{}{\mdSpan[class={heading-label}]{6}}%mdk-data-line={320}
{} offers a number of ideas for projects
to extend the capabilities of%mdk-data-line={321}
{}{\mdNbsp}\mdA[data-linkid={pyexz3}]{https://github.com/thomasjball/PyExZ3/}{}{PyExZ3}%mdk-data-line={321}
{}.%
\end{mdP}%
\mdHxx[id=sec-semantics,label={[2]\{.heading-label\}},toc={},data-line={323},caption={[[2]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}Instrumented Types},bookmark={2.{\hspace{0.5em}}Instrumented Types}]{%mdk-data-line={323}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{2}.{\hspace{0.5em}}}%mdk-data-line={323}
{}Instrumented Types}\begin{mdP}[data-line={325}]%
%mdk-data-line={325}
{}We are given a universe of classes/types %mdk-data-line={325}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={325}
{}; a type %mdk-data-line={325}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T \in U$}%mdk-data-line={325}
{} carries
along a set of operations that apply to values of type %mdk-data-line={326}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={326}
{},
where an operation %mdk-data-line={327}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T$}%mdk-data-line={327}
{} takes an argument list of typed
values as input (the first being of type %mdk-data-line={328}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={328}
{}) and produces a single
typed value as output. Nullary (static) operations of type %mdk-data-line={329}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={329}
{} can be
used to create values of type %mdk-data-line={330}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={330}
{} (such as constants, objects, etc.)%
\end{mdP}%
\begin{mdP}[class={indent,para-continue},data-line={332}]%
%mdk-data-line={332}
{}A program %mdk-data-line={332}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={332}
{} has typed input variables
%mdk-data-line={333}
{}\mdSpan[class={math-inline},elem={math-inline}]{$v_1 : T_1 \ldots v_k : T_k$}%mdk-data-line={333}
{} and a body from the language of statements %mdk-data-line={333}
{}\mdSpan[class={math-inline},elem={math-inline}]{$S$}%mdk-data-line={333}
{}:%
\end{mdP}%
\begin{mdDiv}[class={mathpre,para-block,input-mathpre},elem={mathpre},data-line={335}]%
\begin{mdDiv}[class={math-display}]%
\[%mdk-data-line={336}
\begin{mdMathprearray}%mdk
\mathid{S}\mdMathspace{1}\rightarrow &\mdMathspace{1}\mathid{v}\mdMathspace{1}:=\mdMathspace{1}\mathid{E}\mdMathbr{}
\mdMathindent{3}|\mdMathspace{1}&\mdMathspace{1}\mathkw{skip}\mdMathspace{1}\mdMathbr{}
\mdMathindent{3}|\mdMathspace{1}&\mdMathspace{1}\mathid{S}_1\mdMathspace{1};\mdMathspace{1}\mathid{S}_2\mdMathspace{1}\mdMathbr{}
\mdMathindent{3}|\mdMathspace{1}&\mdMathspace{1}\mathkw{if}\mdMathspace{1}\mathid{E}\mdMathspace{1}\mathkw{then}\mdMathspace{1}\mathid{S}_1\mdMathspace{1}\mathkw{else}\mdMathspace{1}\mathid{S}_2\mdMathspace{1}\mathkw{end}\mdMathbr{}
\mdMathindent{3}|\mdMathspace{1}&\mdMathspace{1}\mathkw{while}\mdMathspace{1}\mathid{E}\mdMathspace{1}\mathkw{do}\mdMathspace{1}\mathid{S}\mdMathspace{1}\mathkw{end}
\end{mdMathprearray}%mdk
\]%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[data-line={343}]%
%mdk-data-line={343}
{}The language of expressions (%mdk-data-line={343}
{}\mdSpan[class={math-inline},elem={math-inline}]{$E$}%mdk-data-line={343}
{}) is defined by the application of operations
to values, where constants (nullary operations) and
program variables form the leaves
of the expression tree and non-nullary operators
form the interior nodes of the tree.
For now, we will consider all values to be immutable.
That is, the only source of mutation in the language is the
assignment statement.%
\end{mdP}%
\begin{mdP}[class={indent,para-continue},data-line={352}]%
%mdk-data-line={352}
{}To introduce symbolic execution into the picture,
we can imagine that a type %mdk-data-line={353}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T \in U$}%mdk-data-line={353}
{} has
(one or more) counterparts in a symbolic universe %mdk-data-line={354}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={354}
{}. A type %mdk-data-line={354}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T' \in U'$}%mdk-data-line={354}
{}
is a subtype of %mdk-data-line={355}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T \in U$}%mdk-data-line={355}
{} with two purposes:%
\end{mdP}%
\begin{mdUl}[class={ul,list-star,loose},elem={ul},data-line={357}]%
\begin{mdLi}[class={li,ul-li,list-star-li,loose-li},label={[(1)]\{.ul-li-label\}},elem={li},data-line={357}]%
\begin{mdP}[data-line={357}]%
%mdk-data-line={357}
{}First, a value of type %mdk-data-line={357}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={357}
{} represents a pair of values:
a concrete value %mdk-data-line={358}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c$}%mdk-data-line={358}
{} of (super)type %mdk-data-line={358}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={358}
{} and a symbolic expression %mdk-data-line={358}
{}\mdSpan[class={math-inline},elem={math-inline}]{$e$}%mdk-data-line={358}
{}.
A symbolic expression is a tree
whose leaves are either nullary operators (i.e., constants) of a type in %mdk-data-line={360}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={360}
{}
or are Skolem constants representing the (symbolic) inputs (%mdk-data-line={361}
{}\mdSpan[class={math-inline},elem={math-inline}]{$v_1 \ldots v_k$}%mdk-data-line={361}
{})
to the program %mdk-data-line={362}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={362}
{}, and whose interior nodes represent operations
from types in %mdk-data-line={363}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={363}
{}. We refer to Skolem constants as %mdk-data-line={363}
{}{\textquotedblleft}symbolic constants{\textquotedblright}%mdk-data-line={363}
{}
from this point on. Note that symbolic expressions do not contain
references to program variables.%
\end{mdP}%%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,loose-li},label={[(2)]\{.ul-li-label\}},elem={li},data-line={367}]%
\begin{mdP}[data-line={367}]%
%mdk-data-line={367}
{}Second, the type %mdk-data-line={367}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={367}
{} redefines some of the operations %mdk-data-line={367}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T$}%mdk-data-line={367}
{},
namely those for which we wish to compute symbolic expressions.
An operation %mdk-data-line={369}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T'$}%mdk-data-line={369}
{} has the same parameter list as %mdk-data-line={369}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T$}%mdk-data-line={369}
{}, allowing it
to take inputs with types from both %mdk-data-line={370}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={370}
{} and %mdk-data-line={370}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={370}
{}. The return type
of %mdk-data-line={371}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T'$}%mdk-data-line={371}
{} generally is from %mdk-data-line={371}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={371}
{} (though it can be from %mdk-data-line={371}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={371}
{}).
Thus, %mdk-data-line={372}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T'$}%mdk-data-line={372}
{} is a proper function subtype of %mdk-data-line={372}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T$}%mdk-data-line={372}
{}.
The purpose of %mdk-data-line={373}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T'$}%mdk-data-line={373}
{} is to:
(1) perform operation %mdk-data-line={374}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o \in T$}%mdk-data-line={374}
{} on the concrete
values associated with its inputs;
(2) build a symbolic expression tree rooted at operation %mdk-data-line={376}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o$}%mdk-data-line={376}
{}
whose children are the trees associated with the inputs to %mdk-data-line={377}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o$}%mdk-data-line={377}
{}.%
\end{mdP}%%
\end{mdLi}%%
\end{mdUl}%
\begin{mdP}[data-line={379}]%
%mdk-data-line={379}
{}Figure%mdk-data-line={379}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-subtype}{}{\mdSpan[class={figure-label}]{5}}%mdk-data-line={379}
{} presents pseudo code for the instrumentation
of a type %mdk-data-line={380}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={380}
{} via a type %mdk-data-line={380}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={380}
{}.
The class %mdk-data-line={381}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Type,Identifier,Cpp}{Symbolic}}%mdk-data-line={381}
{} is used to hold an expression tree (%mdk-data-line={381}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Type,Identifier,Cpp}{Expr}}%mdk-data-line={381}
{}).
Given a class %mdk-data-line={382}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T \in U$}%mdk-data-line={382}
{}, a symbolic type %mdk-data-line={382}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T' \in U'$}%mdk-data-line={382}
{} is defined by inheriting
from both %mdk-data-line={383}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={383}
{} and %mdk-data-line={383}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Type,Identifier,Cpp}{Symbolic}}%mdk-data-line={383}
{}. This ensures that a %mdk-data-line={383}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={383}
{} can be used
wherever a %mdk-data-line={384}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={384}
{} is expected.%
\end{mdP}%
\begin{mdDiv}[class={figure,floating,align-center},id=fig-subtype,label={[5]\{.figure-label\}},elem={figure},toc-line={[5]\{.figure-label\}. Type instrumentation to carry both concrete values and symbolic expressions.},toc={tof},float-env={figure},float-name={Figure},caption={Type instrumentation to carry both concrete values and symbolic expressions.},data-line={386}]%
\begin{mdPre}[class={para-block,pre-fenced,pre-fenced3,language-cpp2,lang-cpp2,cpp2,highlighted},data-line={387},data-line-code={388},language={cpp2}]%
\mdPrecode[data-line={388}]{{\preindent{2}}\mdToken{Keyword,Cpp}{class}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T'$}}}{\prespace{1}}\mdToken{Operator,Cpp}{:}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T$}}}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{Symbolic}{\prespace{1}}\mdToken{Delimiter,Curly,Cpp,BracketOpen}{\{}\prebr{}
{\preindent{4}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T'$}}}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{c}\mdToken{Operator,Cpp}{:}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T$}}}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{e}\mdToken{Operator,Cpp}{:}\mdToken{Type,Identifier,Cpp}{Expr}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Cpp}{:}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T$}}}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{c}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Source,Cpp}{S}\mdToken{Identifier,Cpp}{ymbolic}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{e}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}{\prespace{1}}\mdToken{Delimiter,Curly,Cpp,BracketOpen}{\{}\mdToken{Delimiter,Curly,Cpp,BracketClose}{\}}\prebr{}
\prebr{}
{\preindent{4}}\mdToken{Keyword,Extra,Cpp}{override}{\prespace{1}}\mdToken{Identifier,Cpp}{o}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Keyword,Cpp}{this}\mdToken{Operator,Cpp}{:}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T$}}}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{f1}\mdToken{Operator,Cpp}{:}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T_1$}}}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}{\prespace{1}}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{fk}\mdToken{Operator,Cpp}{:}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T_k$}}}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Cpp}{:}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$R'$}}}{\prespace{1}}\mdToken{Delimiter,Curly,Cpp,BracketOpen}{\{}\prebr{}
{\preindent{6}}\mdToken{Keyword,Extra,Cpp}{var}{\prespace{1}}\mdToken{Identifier,Cpp}{c}{\prespace{1}}:={\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T$}}}\mdToken{Delimiter,Cpp}{.}\mdToken{Identifier,Cpp}{o}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Keyword,Cpp}{this}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{f1}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}{\prespace{1}}\mdToken{Delimiter,Cpp}{,}\mdToken{Identifier,Cpp}{fk}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}\prebr{}
{\preindent{6}}\mdToken{Keyword,Extra,Cpp}{var}{\prespace{1}}\mdToken{Identifier,Cpp}{e}{\prespace{1}}:={\prespace{1}}\mdToken{Keyword,Cpp}{new}{\prespace{1}}\mdToken{Source,Cpp}{E}\mdToken{Identifier,Cpp}{xpr}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$T$}}}\mdToken{Delimiter,Cpp}{.}\mdToken{Identifier,Cpp}{o}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{expr}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{self}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{expr}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{f1}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Identifier,Cpp}{expr}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{fk}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}\prebr{}
{\preindent{6}}\mdToken{Keyword,Cpp}{return}{\prespace{1}}\mdToken{Keyword,Cpp}{new}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$R'$}}}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{c}\mdToken{Delimiter,Cpp}{,}\mdToken{Identifier,Cpp}{e}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}{\prespace{1}}\prebr{}
{\preindent{4}}\mdToken{Delimiter,Curly,Cpp,BracketClose}{\}}\prebr{}
{\preindent{4}}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\prebr{}
{\preindent{2}}\mdToken{Delimiter,Curly,Cpp,BracketClose}{\}}\prebr{}
{\preindent{2}}\prebr{}
{\preindent{2}}\mdToken{Keyword,Cpp}{class}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$R'$}}}{\prespace{1}}\mdToken{Operator,Cpp}{:}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$R$}}}\mdToken{Delimiter,Cpp}{,}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{Symbolic}{\prespace{1}}\mdToken{Delimiter,Curly,Cpp,BracketOpen}{\{}{\prespace{1}}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}\mdToken{Delimiter,Cpp}{.}{\prespace{1}}\mdToken{Delimiter,Curly,Cpp,BracketClose}{\}}\prebr{}
{\preindent{2}}\prebr{}
{\preindent{2}}\mdToken{Keyword,Extra,Cpp}{function}{\prespace{1}}\mdToken{Identifier,Cpp}{expr}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{v}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Cpp}{=}{\prespace{1}}\mdToken{Identifier,Cpp}{v}{\prespace{1}}\mdToken{Keyword,Extra,Cpp}{instanceof}{\prespace{1}}\mdToken{Type,Identifier,Cpp}{Symbolic}{\prespace{1}}\mdToken{Operator,Cpp}{?}{\prespace{1}}\mdToken{Identifier,Cpp}{v}\mdToken{Delimiter,Cpp}{.}\mdToken{Identifier,Cpp}{getExpr}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}{\prespace{1}}\mdToken{Operator,Cpp}{:}{\prespace{1}}\mdToken{Identifier,Cpp}{v}}%
\end{mdPre}%
\mdHr[class={figureline,madoko},data-line={403}]{}\begin{mdDiv}[data-line={404}]%
%mdk-data-line={404}
{}\mdSpan[class={figure-caption}]{\mdSpan[class={caption-before}]{\mdStrong{Figure{\mdNbsp}\mdSpan[class={figure-label}]{5}.} }Type instrumentation to carry both concrete values and symbolic expressions.}%mdk-data-line={404}
{}%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[class={indent,para-continue},data-line={405}]%
%mdk-data-line={405}
{}A type such as %mdk-data-line={405}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={405}
{} only can be constructed by providing a concrete value %mdk-data-line={405}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c$}%mdk-data-line={405}
{} of
type %mdk-data-line={406}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={406}
{} and a symbolic expression %mdk-data-line={406}
{}\mdSpan[class={math-inline},elem={math-inline}]{$e$}%mdk-data-line={406}
{} to the constructor for %mdk-data-line={406}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={406}
{}.
This will be done in exactly two places:%
\end{mdP}%
\begin{mdUl}[class={ul,list-star,loose},elem={ul},data-line={409}]%
\begin{mdLi}[class={li,ul-li,list-star-li,loose-li},label={[(1)]\{.ul-li-label\}},elem={li},data-line={409}]%
\begin{mdP}[data-line={409}]%
%mdk-data-line={409}
{}by the creation of symbolic constants associated with the primary
inputs (%mdk-data-line={410}
{}\mdSpan[class={math-inline},elem={math-inline}]{$v_1 \ldots v_k$}%mdk-data-line={410}
{}) to the program;%
\end{mdP}%%
\end{mdLi}%
\begin{mdLi}[class={li,ul-li,list-star-li,loose-li},label={[(2)]\{.ul-li-label\}},elem={li},data-line={412}]%
\begin{mdP}[data-line={412}]%
%mdk-data-line={412}
{}by the instrumented operations as shown in Figure%mdk-data-line={412}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-subtype}{}{\mdSpan[class={figure-label}]{5}}%mdk-data-line={412}
{}.%
\end{mdP}%%
\end{mdLi}%%
\end{mdUl}%
\begin{mdP}[data-line={414}]%
%mdk-data-line={414}
{}An instrumented operation %mdk-data-line={414}
{}\mdSpan[class={math-inline},elem={math-inline}]{$o$}%mdk-data-line={414}
{} on arguments (%mdk-data-line={414}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Keyword,Cpp}{this}}%mdk-data-line={414}
{}, %mdk-data-line={414}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{f1}}%mdk-data-line={414}
{}, %mdk-data-line={414}
{}{\dots}%mdk-data-line={414}
{}, %mdk-data-line={414}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fk}}%mdk-data-line={414}
{})
first invokes its corresponding underlying
operator %mdk-data-line={416}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T.o$}%mdk-data-line={416}
{} on arguments (%mdk-data-line={416}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Keyword,Cpp}{this}}%mdk-data-line={416}
{}, %mdk-data-line={416}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{f1}}%mdk-data-line={416}
{}, %mdk-data-line={416}
{}{\dots}%mdk-data-line={416}
{}, %mdk-data-line={416}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fk}}%mdk-data-line={416}
{}) to get concrete value %mdk-data-line={416}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{c}}%mdk-data-line={416}
{}.
It then constructs a new expression tree %mdk-data-line={417}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{e}}%mdk-data-line={417}
{}
rooted at operator %mdk-data-line={418}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T.o$}%mdk-data-line={418}
{}, whose children are the result of
mapping the function %mdk-data-line={419}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{expr}}%mdk-data-line={419}
{} over (%mdk-data-line={419}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Keyword,Cpp}{this}}%mdk-data-line={419}
{}, %mdk-data-line={419}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{f1}}%mdk-data-line={419}
{}, %mdk-data-line={419}
{}{\dots}%mdk-data-line={419}
{}, %mdk-data-line={419}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{fk}}%mdk-data-line={419}
{}).
The helper function %mdk-data-line={420}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{expr}\mdToken{Delimiter,Parenthesis,Python,BracketOpen}{(}\mdToken{Identifier,Python}{v}\mdToken{Delimiter,Parenthesis,Python,BracketClose}{)}}%mdk-data-line={420}
{}
evaluates to an expression tree in the case that %mdk-data-line={421}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{v}}%mdk-data-line={421}
{} is of %mdk-data-line={421}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdToken{Type,Identifier,Cpp}{Symbolic}}%mdk-data-line={421}
{} type
(representing a type in %mdk-data-line={422}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={422}
{}) and evaluates to %mdk-data-line={422}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{v}}%mdk-data-line={422}
{} itself, a concrete value
of some type in %mdk-data-line={423}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={423}
{}, otherwise.
Finally, having computed the values %mdk-data-line={424}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{c}}%mdk-data-line={424}
{} and %mdk-data-line={424}
{}\mdCode[class={code,code1,language-python,lang-python,python,highlighted},language={python}]{\mdToken{Identifier,Python}{e}}%mdk-data-line={424}
{}, the instrumented operator
returns %mdk-data-line={425}
{}\mdCode[class={code,code2,language-cpp2,lang-cpp2,cpp2,highlighted},language={cpp2}]{\mdSpan[class={code-escaped}]{\mdSpan[class={math-inline},elem={math-inline}]{$R'$}}\mdToken{Delimiter,Parenthesis,Cpp,BracketOpen}{(}\mdToken{Identifier,Cpp}{c}\mdToken{Delimiter,Cpp}{,}\mdToken{Identifier,Cpp}{e}\mdToken{Delimiter,Parenthesis,Cpp,BracketClose}{)}}%mdk-data-line={425}
{}, where %mdk-data-line={425}
{}\mdSpan[class={math-inline},elem={math-inline}]{$R$}%mdk-data-line={425}
{} is the return type of operator %mdk-data-line={425}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T.o$}%mdk-data-line={425}
{},
and %mdk-data-line={426}
{}\mdSpan[class={math-inline},elem={math-inline}]{$R'$}%mdk-data-line={426}
{} is a subtype of %mdk-data-line={426}
{}\mdSpan[class={math-inline},elem={math-inline}]{$R$}%mdk-data-line={426}
{} from universe %mdk-data-line={426}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={426}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={428}]%
%mdk-data-line={428}
{}Looked at another way, the universe %mdk-data-line={428}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={428}
{} represents the %mdk-data-line={428}
{}{\textquotedblleft}tainting{\textquotedblright}%mdk-data-line={428}
{} of
types from %mdk-data-line={429}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U$}%mdk-data-line={429}
{}. Tainted values flow from program inputs to the
operands of operators. If an operator has been redefined
(as above) then the taint propagates from its inputs to its outputs.
On the other hand, if the operator has not been redefined, then it will
not propagate the taint. In the context of DSE, %mdk-data-line={433}
{}{\textquotedblleft}taint{\textquotedblright}%mdk-data-line={433}
{} means
that the instrumented semantics carries along a symbolic expression tree %mdk-data-line={434}
{}\mdSpan[class={math-inline},elem={math-inline}]{$e$}%mdk-data-line={434}
{}
along with a concrete value %mdk-data-line={435}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c$}%mdk-data-line={435}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={437}]%
%mdk-data-line={437}
{}The choice of types from the universe %mdk-data-line={437}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={437}
{} determines how symbolic
expressions are constructed. For each %mdk-data-line={438}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T \in U$}%mdk-data-line={438}
{}, the %mdk-data-line={438}
{}{\textquotedblleft}most symbolic{\textquotedblright}%mdk-data-line={438}
{}
(least concrete) choice is the %mdk-data-line={439}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'$}%mdk-data-line={439}
{} that redefines every operator of %mdk-data-line={439}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={439}
{}
(as shown in Figure%mdk-data-line={440}
{}{\mdNbsp}\mdA[class={localref},target-element={figure}]{fig-subtype}{}{\mdSpan[class={figure-label}]{5}}%mdk-data-line={440}
{}).
The %mdk-data-line={441}
{}{\textquotedblleft}least symbolic{\textquotedblright}%mdk-data-line={441}
{} (most concrete) choice is %mdk-data-line={441}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T' = T$}%mdk-data-line={441}
{} which
redefines no operators. Let %mdk-data-line={442}
{}\mdSpan[class={math-inline},elem={math-inline}]{$symbolic(T)$}%mdk-data-line={442}
{} be the
set of types in %mdk-data-line={443}
{}\mdSpan[class={math-inline},elem={math-inline}]{$U'$}%mdk-data-line={443}
{} that are subtypes of %mdk-data-line={443}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={443}
{}. The types
in %mdk-data-line={444}
{}\mdSpan[class={math-inline},elem={math-inline}]{$symbolic(T)$}%mdk-data-line={444}
{} are partially ordered by subset inclusion on the
set of operators from %mdk-data-line={445}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T$}%mdk-data-line={445}
{} they redefine.%
\end{mdP}%
\mdHxx[id=sec-sp2dse,label={[3]\{.heading-label\}},toc={},data-line={449},caption={[[3]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}From Strongest Postconditions to DSE},bookmark={3.{\hspace{0.5em}}From Strongest Postconditions to DSE}]{%mdk-data-line={449}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{3}.{\hspace{0.5em}}}%mdk-data-line={449}
{}From Strongest Postconditions to DSE}\begin{mdP}[data-line={451}]%
%mdk-data-line={451}
{}The previous section showed how symbolic expressions can be computed via a
set of instrumented types, where the expressions are computed as a side-effect
of the execution of program operations.
This section shows how these symbolic expressions can be used to form a
%mdk-data-line={455}
{}\mdEm{path-condition}%mdk-data-line={455}
{} (which then can be compiled into a logic formula and
passed to an automated theorem prover to find new inputs to drive a
program%mdk-data-line={457}
{}{'}%mdk-data-line={457}
{}s execution along new paths). We derive a %mdk-data-line={457}
{}\mdEm{path-condition}%mdk-data-line={457}
{}
directly from the %mdk-data-line={458}
{}\mdEm{strongest postcondition}%mdk-data-line={458}
{} (symbolic) semantics of our
programming language, refining it to model the basic operations
of an interpreter.%
\end{mdP}%
\mdHxxx[id=sec-strongest-postconditions,label={[3.1]\{.heading-label\}},toc={},data-line={462},caption={[[3.1]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}Strongest Postconditions},bookmark={3.1.{\hspace{0.5em}}Strongest Postconditions}]{%mdk-data-line={462}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{3.1}.{\hspace{0.5em}}}%mdk-data-line={462}
{}Strongest Postconditions}\begin{mdP}[class={para-continue},data-line={464}]%
%mdk-data-line={464}
{}The strongest postcondition transformer %mdk-data-line={464}
{}\mdSpan[class={math-inline},elem={math-inline}]{$SP$}%mdk-data-line={464}
{}{\mdNbsp}\mdSpan[class={citations},target-element={bibitem}]{[\mdA[class={bibref,localref},target-element={bibitem}]{dijkstra76}{}{\mdSpan[class={bibitem-label}]{6}}]}%mdk-data-line={464}
{} is defined over
a predicate %mdk-data-line={465}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={465}
{} representing a set of
pre-states and a statement %mdk-data-line={466}
{}\mdSpan[class={math-inline},elem={math-inline}]{$S$}%mdk-data-line={466}
{} from our language. The transformer %mdk-data-line={466}
{}\mdSpan[class={math-inline},elem={math-inline}]{$SP(P,S)$}%mdk-data-line={466}
{}
yields a predicate %mdk-data-line={467}
{}\mdSpan[class={math-inline},elem={math-inline}]{$Q$}%mdk-data-line={467}
{} such that for any state %mdk-data-line={467}
{}\mdSpan[class={math-inline},elem={math-inline}]{$s$}%mdk-data-line={467}
{} satisfying
predicate %mdk-data-line={468}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={468}
{}, the execution of statement %mdk-data-line={468}
{}\mdSpan[class={math-inline},elem={math-inline}]{$S$}%mdk-data-line={468}
{} from state %mdk-data-line={468}
{}\mdSpan[class={math-inline},elem={math-inline}]{$s$}%mdk-data-line={468}
{},
if it does not go wrong or diverge, yields a state %mdk-data-line={469}
{}\mdSpan[class={math-inline},elem={math-inline}]{$s'$}%mdk-data-line={469}
{} satisfying predicate %mdk-data-line={469}
{}\mdSpan[class={math-inline},elem={math-inline}]{$Q$}%mdk-data-line={469}
{}.
The strongest postcondition for the statements in our language
is defined by the following five rules:%
\end{mdP}%
\begin{mdDiv}[class={mathpre,para-block,input-mathpre},elem={mathpre},data-line={473}]%
\begin{mdDiv}[class={math-display}]%
\[%mdk-data-line={474}
\begin{mdMathprearray}%mdk
1.\mdMathspace{2}&\mdMathspace{1}\mathid{SP}(\mathid{P},\mdMathspace{1}\mathid{x}\mdMathspace{1}:=\mdMathspace{1}\mathid{E})\mdMathspace{1}{~\buildrel\triangle\over=~}\mdMathspace{1}\exists \mathid{y}\mdMathspace{1}.\mdMathspace{1}(\mathid{x}\mdMathspace{1}=\mdMathspace{1}\mathid{E}\mdMathspace{1}[\mdMathspace{1}\mathid{x}\mdMathspace{1}\rightarrow \mathid{y}\mdMathspace{1}])\mdMathspace{1}\wedge \mathid{P}\mdMathspace{1}[\mdMathspace{1}\mathid{x}\mdMathspace{1}\rightarrow \mathid{y}\mdMathspace{1}]\mdMathbr{}
2.\mdMathspace{2}&\mdMathspace{1}\mathid{SP}(\mathid{P},\mdMathspace{1}\mathkw{skip})\mdMathspace{1}{~\buildrel\triangle\over=~}\mdMathspace{1}\mathid{P}\mdMathbr{}
3.\mdMathspace{2}&\mdMathspace{1}\mathid{SP}(\mathid{P},\mathid{S}_{1};\mathid{S}_{2})\mdMathspace{1}{~\buildrel\triangle\over=~}\mdMathspace{1}\mathid{SP}(\mathid{SP}(\mathid{P},\mathid{S}_{1}),\mdMathspace{1}\mathid{S}_{2})\mdMathbr{}
4.\mdMathspace{2}&\mdMathspace{1}\mathid{SP}(\mathid{P},\mathkw{if}\mdMathspace{1}\mathid{E}\mdMathspace{1}\mathkw{then}\mdMathspace{1}\mathid{S}_1\mdMathspace{1}\mathkw{else}\mdMathspace{1}\mathid{S}_2\mdMathspace{1}\mathkw{end})\mdMathspace{1}{~\buildrel\triangle\over=~}\mdMathbr{}
\mdMathindent{4}&\mdMathspace{7}\mathid{SP}(\mathid{P}\wedge \mathid{E},\mathid{S}_1)\mdMathspace{1}\vee \mathid{SP}(\mathid{P}\mdMathspace{1}\wedge \neg \mathid{E},\mathid{S}_2)\mdMathbr{}
5.\mdMathspace{2}&\mdMathspace{1}\mathid{SP}(\mathid{P},\mathkw{while}\mdMathspace{1}\mathid{E}\mdMathspace{1}\mathkw{do}\mdMathspace{1}\mathid{S}\mdMathspace{1}\mathkw{end})\mdMathspace{1}{~\buildrel\triangle\over=~}\mdMathbr{}
\mdMathindent{4}&\mdMathspace{6}\mathid{SP}(\mathid{P},\mathkw{if}\mdMathspace{1}\mathid{E}\mdMathspace{1}\mathkw{then}\mdMathspace{1}\mathid{S};\mdMathspace{1}\mathkw{while}\mdMathspace{1}\mathid{E}\mdMathspace{1}\mathkw{do}\mdMathspace{1}\mathid{S}\mdMathspace{1}\mathkw{end}\mdMathspace{1}\mathkw{else}\mdMathspace{1}\mathkw{skip}\mdMathspace{1}\mathkw{end})
\end{mdMathprearray}%mdk
\]%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[data-line={483}]%
%mdk-data-line={483}
{}Rule (1) defines the strongest postcondition for
the assignment statement. The assignment is modeled
logically by the equality %mdk-data-line={485}
{}\mdSpan[class={math-inline},elem={math-inline}]{$x = E$}%mdk-data-line={485}
{} where any free occurrence of %mdk-data-line={485}
{}\mdSpan[class={math-inline},elem={math-inline}]{$x$}%mdk-data-line={485}
{} in %mdk-data-line={485}
{}\mdSpan[class={math-inline},elem={math-inline}]{$E$}%mdk-data-line={485}
{}
is replaced by the existentially quantified variable %mdk-data-line={486}
{}\mdSpan[class={math-inline},elem={math-inline}]{$y$}%mdk-data-line={486}
{}, which represents
the value of %mdk-data-line={487}
{}\mdSpan[class={math-inline},elem={math-inline}]{$x$}%mdk-data-line={487}
{} in the pre-state. The same substitution (%mdk-data-line={487}
{}\mdSpan[class={math-inline},elem={math-inline}]{$[x \rightarrow y ]$}%mdk-data-line={487}
{})
is applied to the pre-state predicate %mdk-data-line={488}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={488}
{}.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={490}]%
%mdk-data-line={490}
{}Rules (2)-(5) define the strongest postcondition for the four control-flow
statements. The rules for the %mdk-data-line={491}
{}\mdStrong{skip}%mdk-data-line={491}
{} statement and sequencing (;) are
straightforward.
Of particular interest, note that the rule for the %mdk-data-line={493}
{}\mdStrong{if-then-else}%mdk-data-line={493}
{}
statement splits cases on the expression %mdk-data-line={494}
{}\mdSpan[class={math-inline},elem={math-inline}]{$E$}%mdk-data-line={494}
{}.
It is here that DSE will choose one of the cases for us, as the concrete
execution will evaluate %mdk-data-line={496}
{}\mdSpan[class={math-inline},elem={math-inline}]{$E$}%mdk-data-line={496}
{} either to be true or false. This gives rise
to the path-condition (either %mdk-data-line={497}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P \wedge E$}%mdk-data-line={497}
{} or %mdk-data-line={497}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P \wedge \neg E$}%mdk-data-line={497}
{}). The
recursive rule for the %mdk-data-line={498}
{}\mdStrong{while}%mdk-data-line={498}
{} loop unfolds as many times as the
expression %mdk-data-line={499}
{}\mdSpan[class={math-inline},elem={math-inline}]{$E$}%mdk-data-line={499}
{} evaluates true, adding to the path-condition.%
\end{mdP}%
\mdHxxx[id=sp-refined,label={[3.2]\{.heading-label\}},toc={},data-line={501},caption={[[3.2]\{.heading-label\}.{\hspace{0.5em}}]\{.heading-before\}From \$SP\$ to DSE},bookmark={3.2.{\hspace{0.5em}}From \$SP\$ to DSE}]{%mdk-data-line={501}
{}\mdSpan[class={heading-before}]{\mdSpan[class={heading-label}]{3.2}.{\hspace{0.5em}}}%mdk-data-line={501}
{}From %mdk-data-line={501}
{}\mdSpan[class={math-inline},elem={math-inline}]{$SP$}%mdk-data-line={501}
{} to DSE}\begin{mdP}[data-line={503}]%
%mdk-data-line={503}
{}Assume that an execution begins with the assignment of initial values %mdk-data-line={503}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c_1 \ldots c_k$}%mdk-data-line={503}
{} to the program %mdk-data-line={503}
{}\mdSpan[class={math-inline},elem={math-inline}]{$P$}%mdk-data-line={503}
{}{'}%mdk-data-line={503}
{}s inputs
%mdk-data-line={504}
{}\mdSpan[class={math-inline},elem={math-inline}]{$V = \{ v_1 : T_1 \ldots v_k : T_k \}$}%mdk-data-line={504}
{}. To seed symbolic execution, some of the types %mdk-data-line={504}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T_i$}%mdk-data-line={504}
{} are
replaced by symbolic counterparts %mdk-data-line={505}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T'_i$}%mdk-data-line={505}
{}, in which case
%mdk-data-line={506}
{}\mdSpan[class={math-inline},elem={math-inline}]{$v_i$}%mdk-data-line={506}
{} is initialized to the value %mdk-data-line={506}
{}\mdSpan[class={math-inline},elem={math-inline}]{$sc_i = T'_i (c_i,SC(v_i))$}%mdk-data-line={506}
{} instead of the value %mdk-data-line={506}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c_i$}%mdk-data-line={506}
{},
where %mdk-data-line={507}
{}\mdSpan[class={math-inline},elem={math-inline}]{$SC(v_i)$}%mdk-data-line={507}
{} is the symbolic constant representing the initial value of variable %mdk-data-line={507}
{}\mdSpan[class={math-inline},elem={math-inline}]{$v_i$}%mdk-data-line={507}
{}.
The symbolic constant %mdk-data-line={508}
{}\mdSpan[class={math-inline},elem={math-inline}]{$SC(v_i)$}%mdk-data-line={508}
{} can be thought of as representing any value of
type %mdk-data-line={509}
{}\mdSpan[class={math-inline},elem={math-inline}]{$T_i$}%mdk-data-line={509}
{}, which includes the value %mdk-data-line={509}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c_i$}%mdk-data-line={509}
{}.%mdk-data-line={509}
{} %mdk-data-line={509}
{}%
\end{mdP}%
\begin{mdP}[class={indent,para-continue},data-line={511}]%
%mdk-data-line={511}
{}Let %mdk-data-line={511}
{}\mdSpan[class={math-inline},elem={math-inline}]{$V_s$}%mdk-data-line={511}
{} and %mdk-data-line={511}
{}\mdSpan[class={math-inline},elem={math-inline}]{$V_c$}%mdk-data-line={511}
{} partition the variables of %mdk-data-line={511}
{}\mdSpan[class={math-inline},elem={math-inline}]{$V$}%mdk-data-line={511}
{} into those variables
that are treated symbolically (%mdk-data-line={512}
{}\mdSpan[class={math-inline},elem={math-inline}]{$V_s$}%mdk-data-line={512}
{}) and those that are treated concretely
(%mdk-data-line={513}
{}\mdSpan[class={math-inline},elem={math-inline}]{$V_c$}%mdk-data-line={513}
{}). The initial state of the program is characterized by the formula%
\end{mdP}%
\begin{mdDiv}[class={equation,para-block},label={[(1)]\{.equation-label\}},elem={equation},line-adjust={0},data-line={515}]%
%mdk-data-line={515}
{}\mdSpan[class={equation-before}]{\mdSpan[class={equation-label}]{(1)}}%mdk-data-line={515}
{}
\begin{mdDiv}[class={mathdisplay,para-block,input-math},elem={mathdisplay},color={},math-needpdf={},line-adjust={0},data-line={516}]%
\begin{mdDiv}[class={math-display}]%
\[%mdk-data-line={516}
Init = (\bigwedge_{v_i \in V_s} v_i = sc_i) ~\wedge~ (~\bigwedge_{v_i \in V_c} v_i = c_i)
\]%
\end{mdDiv}%%
\end{mdDiv}%%
\end{mdDiv}%
\begin{mdP}[data-line={519}]%
%mdk-data-line={519}
{}Thus, we see that the initial value of every input variable is characterized by
a symbolic constant %mdk-data-line={520}
{}\mdSpan[class={math-inline},elem={math-inline}]{$sc_i$}%mdk-data-line={520}
{} or constant %mdk-data-line={520}
{}\mdSpan[class={math-inline},elem={math-inline}]{$c_i$}%mdk-data-line={520}
{}. We assume that every non-input
variable in the program is initialized before being used.%
\end{mdP}%
\begin{mdP}[class={indent},data-line={523}]%
%mdk-data-line={523}
{}The strongest postcondition is formulated to deal with open programs,
programs in which some variables are used before being assigned to.
This surfaces in Rule (1) for assignment, which uses existential quantification
to refer to the value of variable %mdk-data-line={526}
{}\mdSpan[class={math-inline},elem={math-inline}]{$x$}%mdk-data-line={526}
{} in the pre-state.%
\end{mdP}%
\begin{mdP}[class={indent,para-continue},data-line={528}]%
%mdk-data-line={528}
{}By construction,
we have that every variable is defined before being used.
gitextract_nf65lu9d/ ├── .gitattributes ├── .gitignore ├── README.md ├── TODO.md ├── Vagrantfile ├── copyright.txt ├── fail/ │ ├── arrayindex.py │ ├── dictbool.py │ ├── divzero.py │ ├── git.py │ ├── pow.py │ └── sqrttest.py ├── marktoberdorf_paper/ │ ├── DSE/ │ │ ├── CodeReview.pptx │ │ ├── DSE.mdk │ │ ├── IOS-Book-Article.cls │ │ ├── cpp2.json │ │ ├── dse.bib │ │ ├── ignores.dic │ │ └── out/ │ │ └── DSE.tex │ ├── DSE.html │ └── forPublisher/ │ ├── IOS-Book-Article.cls │ ├── css.sty │ ├── dse.tex │ └── madoko.sty ├── marktoberdorf_slides/ │ ├── CodeReview.pptx │ ├── Marktoberdorf2014_1.pptx │ ├── Marktoberdorf2014_2.pptx │ ├── Marktoberdorf2014_3.pptx │ ├── Marktoberdorf2014_4.pptx │ ├── collatz.py │ └── examples/ │ ├── adder.py │ ├── automata.py │ ├── check_adder.py │ ├── check_mult.py │ ├── first.py │ ├── hats.py │ ├── mult.py │ └── mult2.py ├── pyexz3.py ├── run_tests.py ├── setup.bat ├── setup.sh ├── symbolic/ │ ├── __init__.py │ ├── args.py │ ├── constraint.py │ ├── cvc_expr/ │ │ ├── __init__.py │ │ ├── exprbuilder.py │ │ ├── expression.py │ │ ├── integer.py │ │ └── string.py │ ├── cvc_wrap.py │ ├── explore.py │ ├── invocation.py │ ├── loader.py │ ├── path_to_constraint.py │ ├── predicate.py │ ├── symbolic_types/ │ │ ├── __init__.py │ │ ├── symbolic_dict.py │ │ ├── symbolic_int.py │ │ ├── symbolic_str.py │ │ └── symbolic_type.py │ ├── z3_expr/ │ │ ├── __init__.py │ │ ├── bitvector.py │ │ ├── expression.py │ │ └── integer.py │ └── z3_wrap.py ├── test/ │ ├── abs_test.py │ ├── andor.py │ ├── arrayindex2.py │ ├── bad_eq.py │ ├── bignum.py │ ├── binary_search.py │ ├── bitwidth.py │ ├── complex.py │ ├── cseppento1.py │ ├── cseppento2.py │ ├── cseppento3.py │ ├── cvc/ │ │ ├── effectivebool.py │ │ ├── emptystr.py │ │ ├── escape.py │ │ ├── none.py │ │ ├── strcontains.py │ │ ├── strcount.py │ │ ├── strfind.py │ │ ├── strfindbeg.py │ │ ├── strindex.py │ │ ├── stringadd.py │ │ ├── stringtest.py │ │ ├── strmiddle.py │ │ ├── strreplace.py │ │ ├── strslice.py │ │ ├── strsplit.py │ │ ├── strstartswith.py │ │ ├── strstrip.py │ │ └── strsubstring.py │ ├── decorator.py │ ├── decorator_dict.py │ ├── diamond.py │ ├── dict.py │ ├── dictionary.py │ ├── elseif.py │ ├── expand.py │ ├── expressions.py │ ├── filesys.py │ ├── fp.py │ ├── gcd.py │ ├── hashval.py │ ├── len_test.py │ ├── lib/ │ │ ├── __init__.py │ │ ├── bsearch.py │ │ └── se_dict.py │ ├── list.py │ ├── logical_op.py │ ├── loop.py │ ├── many_branches.py │ ├── maxtest.py │ ├── mod.py │ ├── modulo.py │ ├── modulo2.py │ ├── mult_assmt.py │ ├── polyspace.py │ ├── power.py │ ├── power2.py │ ├── powtest.py │ ├── reverse.py │ ├── set.py │ ├── shallow_branches.py │ ├── simple.py │ ├── swap.py │ ├── tmp │ ├── tuplecmp.py │ ├── unnecessary_condition.py │ ├── unnecessary_condition2.py │ ├── unnecessary_condition3.py │ ├── unnecessary_condition4.py │ ├── weird.py │ └── whileloop.py ├── tools/ │ └── symbolic_int_subtype.py ├── utils.py └── vagrant.sh
SYMBOL INDEX (401 symbols across 107 files)
FILE: fail/arrayindex.py
function arrayindex (line 11) | def arrayindex(i):
function expected_result (line 17) | def expected_result():
FILE: fail/dictbool.py
function dictbool (line 4) | def dictbool(d):
function expected_result (line 10) | def expected_result():
FILE: fail/divzero.py
function divzero (line 4) | def divzero(in1,in2):
function expected_result (line 14) | def expected_result():
FILE: fail/git.py
function git (line 4) | def git(a,b):
FILE: fail/pow.py
function pow (line 5) | def pow(x):
function expected_result (line 11) | def expected_result():
FILE: fail/sqrttest.py
function sqrttest (line 5) | def sqrttest(in1):
function expected_result (line 12) | def expected_result():
FILE: marktoberdorf_slides/collatz.py
function collatz (line 1) | def collatz(n):
function max_iters (line 10) | def max_iters():
function expected_result_set (line 13) | def expected_result_set():
FILE: marktoberdorf_slides/examples/adder.py
function add1 (line 3) | def add1(x0,y0,c0):
function addN (line 7) | def addN(xN,yN,cin):
FILE: marktoberdorf_slides/examples/automata.py
function q0axiom (line 32) | def q0axiom():
function q1axiom (line 37) | def q1axiom():
function q2axiom (line 43) | def q2axiom():
function q3axiom (line 48) | def q3axiom():
function q4axiom (line 53) | def q4axiom():
function lengthGE (line 58) | def lengthGE(x,k):
function test (line 65) | def test():
FILE: marktoberdorf_slides/examples/check_adder.py
function eq_bool (line 15) | def eq_bool(bv, i, b):
function eq_bitvec_boolvec (line 18) | def eq_bitvec_boolvec(bitvec,boolvec):
FILE: marktoberdorf_slides/examples/check_mult.py
function eq_bool (line 15) | def eq_bool(bv, i, b):
function eq_bitvec_boolvec (line 18) | def eq_bitvec_boolvec(bitvec,boolvec):
FILE: marktoberdorf_slides/examples/hats.py
function bounded (line 17) | def bounded(x):
FILE: marktoberdorf_slides/examples/mult.py
function multN (line 10) | def multN(xN,yN):
FILE: marktoberdorf_slides/examples/mult2.py
function multcell (line 6) | def multcell(a,b,c,s):
function multN (line 12) | def multN(xN,yN):
function add1 (line 37) | def add1(x0,y0,c0):
FILE: run_tests.py
class bcolors (line 8) | class bcolors:
function myprint (line 14) | def myprint(color, s, *args):
FILE: symbolic/args.py
function symbolic (line 1) | def symbolic(**arg_types):
function concrete (line 7) | def concrete(**arg_types):
FILE: symbolic/constraint.py
class Constraint (line 7) | class Constraint:
method __init__ (line 11) | def __init__(self, parent, last_predicate):
method __eq__ (line 20) | def __eq__(self, other):
method getAssertsAndQuery (line 29) | def getAssertsAndQuery(self):
method getLength (line 41) | def getLength(self):
method __str__ (line 46) | def __str__(self):
method __repr__ (line 49) | def __repr__(self):
method findChild (line 55) | def findChild(self, predicate):
method addChild (line 61) | def addChild(self, predicate):
FILE: symbolic/cvc_expr/exprbuilder.py
class ExprBuilder (line 12) | class ExprBuilder(object):
method __init__ (line 13) | def __init__(self, asserts, query, solver):
method _toCVC (line 20) | def _toCVC(self, asserts, query):
method _predToCVC (line 28) | def _predToCVC(self, pred, env=None):
method _getVariable (line 40) | def _getVariable(self, symbolic_var):
method _wrapIf (line 52) | def _wrapIf(self, expr, env):
method _astToCVCExpr (line 58) | def _astToCVCExpr(self, expr, env=None):
FILE: symbolic/cvc_expr/expression.py
class CVCExpression (line 9) | class CVCExpression(object):
method __init__ (line 12) | def __init__(self, cvc_expr, solver):
method variable (line 18) | def variable(cls, name, solver):
method constant (line 22) | def constant(cls, v, solver):
method getvalue (line 25) | def getvalue(self):
method ite (line 28) | def ite(self, th, el):
method __and__ (line 33) | def __and__(self, other):
method __xor__ (line 36) | def __xor__(self, other):
method __or__ (line 39) | def __or__(self, other):
method not_op (line 42) | def not_op(self):
method __ne__ (line 45) | def __ne__(self, other):
method __eq__ (line 49) | def __eq__(self, other):
method __lt__ (line 52) | def __lt__(self, other):
method __gt__ (line 55) | def __gt__(self, other):
method __ge__ (line 58) | def __ge__(self, other):
method __le__ (line 61) | def __le__(self, other):
method __str__ (line 64) | def __str__(self):
FILE: symbolic/cvc_expr/integer.py
class CVCInteger (line 11) | class CVCInteger(CVCExpression):
method variable (line 36) | def variable(cls, name, solver):
method constant (line 42) | def constant(cls, v, solver):
method getvalue (line 46) | def getvalue(self):
method __add__ (line 58) | def __add__(self, other):
method __sub__ (line 61) | def __sub__(self, other):
method __mul__ (line 64) | def __mul__(self, other):
method __truediv__ (line 67) | def __truediv__(self, other):
method __mod__ (line 70) | def __mod__(self, other):
method __or__ (line 73) | def __or__(self, other):
method __and__ (line 76) | def __and__(self, other):
method __xor__ (line 79) | def __xor__(self, other):
method __lshift__ (line 82) | def __lshift__(self, other):
method __rshift__ (line 85) | def __rshift__(self, other):
method tobv (line 88) | def tobv(self):
method bvsanity (line 92) | def bvsanity(self):
method _bvhelper (line 95) | def _bvhelper(self, other, op):
method _assert_bvbounds (line 101) | def _assert_bvbounds(self, bvexpr):
FILE: symbolic/cvc_expr/string.py
class CVCString (line 11) | class CVCString(CVCExpression):
method variable (line 15) | def variable(cls, name, solver):
method constant (line 21) | def constant(cls, v, solver):
method getvalue (line 30) | def getvalue(self):
method len (line 38) | def len(self):
method __add__ (line 41) | def __add__(self, other):
method __contains__ (line 45) | def __contains__(self, item):
method __getitem__ (line 49) | def __getitem__(self, item):
method find (line 68) | def find(self, findstr, beg):
method replace (line 77) | def replace(self, old, new):
method startswith (line 80) | def startswith(self, prefix):
FILE: symbolic/cvc_wrap.py
class CVCWrapper (line 13) | class CVCWrapper(object):
method __init__ (line 25) | def __init__(self):
method findCounterexample (line 31) | def findCounterexample(self, asserts, query):
method _findModel (line 48) | def _findModel(self):
method _getModel (line 70) | def _getModel(variables):
method _coneOfInfluence (line 75) | def _coneOfInfluence(asserts, query):
FILE: symbolic/explore.py
class ExplorationEngine (line 14) | class ExplorationEngine:
method __init__ (line 15) | def __init__(self, funcinv, solver="z3"):
method addConstraint (line 42) | def addConstraint(self, constraint):
method explore (line 47) | def explore(self, max_iterations=0):
method _updateSymbolicParameter (line 84) | def _updateSymbolicParameter(self, name, val):
method _getInputs (line 87) | def _getInputs(self):
method _setInputs (line 90) | def _setInputs(self,d):
method _isExplorationComplete (line 93) | def _isExplorationComplete(self):
method _getConcrValue (line 102) | def _getConcrValue(self,v):
method _recordInputs (line 108) | def _recordInputs(self):
method _oneExecution (line 114) | def _oneExecution(self,expected_path=None):
FILE: symbolic/invocation.py
class FunctionInvocation (line 3) | class FunctionInvocation:
method __init__ (line 4) | def __init__(self, function, reset):
method callFunction (line 10) | def callFunction(self,args):
method addArgumentConstructor (line 14) | def addArgumentConstructor(self, name, init, constructor):
method getNames (line 18) | def getNames(self):
method createArgumentValue (line 21) | def createArgumentValue(self,name,val=None):
FILE: symbolic/loader.py
class Loader (line 15) | class Loader:
method __init__ (line 16) | def __init__(self, filename, entry):
method getFile (line 25) | def getFile(self):
method getEntry (line 28) | def getEntry(self):
method createInvocation (line 31) | def createInvocation(self):
method _initializeArgumentConcrete (line 63) | def _initializeArgumentConcrete(inv,f,val):
method _initializeArgumentSymbolic (line 66) | def _initializeArgumentSymbolic(inv,f,val,st):
method executionComplete (line 69) | def executionComplete(self, return_vals):
method _resetCallback (line 80) | def _resetCallback(self,firstpass=False):
method _execute (line 97) | def _execute(self, **args):
method _toBag (line 100) | def _toBag(self,l):
method _check (line 109) | def _check(self, computed, expected, as_bag=True):
function loaderFactory (line 120) | def loaderFactory(filename,entry):
FILE: symbolic/path_to_constraint.py
class PathToConstraint (line 10) | class PathToConstraint:
method __init__ (line 11) | def __init__(self, add):
method reset (line 18) | def reset(self,expected):
method whichBranch (line 29) | def whichBranch(self, branch, symbolic_type):
method toDot (line 69) | def toDot(self):
method _toDot (line 75) | def _toDot(self,c):
FILE: symbolic/predicate.py
class Predicate (line 3) | class Predicate:
method __init__ (line 6) | def __init__(self, st, result):
method getVars (line 10) | def getVars(self):
method __eq__ (line 13) | def __eq__(self, other):
method __hash__ (line 20) | def __hash__(self):
method __str__ (line 23) | def __str__(self):
method __repr__ (line 26) | def __repr__(self):
method negate (line 29) | def negate(self):
FILE: symbolic/symbolic_types/__init__.py
function getSymbolic (line 15) | def getSymbolic(v):
FILE: symbolic/symbolic_types/symbolic_dict.py
class SymbolicDict (line 13) | class SymbolicDict(SymbolicObject,dict):
method __new__ (line 14) | def __new__(cls, name, *args, **kwargs):
method __init__ (line 18) | def __init__(self, name, kwargs):
method getConcrValue (line 22) | def getConcrValue(self):
method __bool__ (line 25) | def __bool__(self):
FILE: symbolic/symbolic_types/symbolic_int.py
class SymbolicInteger (line 10) | class SymbolicInteger(SymbolicObject,int):
method __new__ (line 13) | def __new__(cls, name, v, expr=None):
method __init__ (line 16) | def __init__(self, name, v, expr=None):
method getConcrValue (line 20) | def getConcrValue(self):
method wrap (line 23) | def wrap(conc,sym):
method __hash__ (line 26) | def __hash__(self):
method _op_worker (line 29) | def _op_worker(self,args,fun,op):
function make_method (line 46) | def make_method(method,op,a):
FILE: symbolic/symbolic_types/symbolic_str.py
class SymbolicStr (line 5) | class SymbolicStr(SymbolicObject, str):
method __new__ (line 7) | def __new__(cls, name, v, expr=None):
method __init__ (line 10) | def __init__(self, name, v, expr=None):
method getConcrValue (line 14) | def getConcrValue(self):
method wrap (line 17) | def wrap(conc, sym):
method __hash__ (line 20) | def __hash__(self):
method _op_worker (line 23) | def _op_worker(self, args, fun, op):
method __bool__ (line 26) | def __bool__(self):
method __len__ (line 29) | def __len__(self):
method __contains__ (line 33) | def __contains__(self, item):
method __getitem__ (line 37) | def __getitem__(self, key):
method find (line 47) | def find(self, findstr, beg=0):
method startswith (line 52) | def startswith(self, prefix):
method split (line 57) | def split(self, sep=None, maxsplit=None):
method count (line 70) | def count(self, sub):
method _replace (line 85) | def _replace(self, old, new):
method replace (line 89) | def replace(self, old, new, maxreplace=-1):
method strip (line 104) | def strip(self, chars=None):
function make_method (line 120) | def make_method(method,op,a):
FILE: symbolic/symbolic_types/symbolic_type.py
class SymbolicType (line 10) | class SymbolicType(object):
method __init__ (line 11) | def __init__(self, name, expr=None):
method getConcrValue (line 17) | def getConcrValue(self):
method wrap (line 20) | def wrap(conc,sym):
method isVariable (line 25) | def isVariable(self):
method unwrap (line 28) | def unwrap(self):
method getVars (line 34) | def getVars(self):
method _getVarsLeaves (line 42) | def _getVarsLeaves(self,l):
method _do_sexpr (line 51) | def _do_sexpr(self,args,fun,op,wrap):
method symbolicEq (line 58) | def symbolicEq(self, other):
method _eq_worker (line 65) | def _eq_worker(self, expr1, expr2):
method toString (line 77) | def toString(self):
method _toString (line 83) | def _toString(self,expr):
class SymbolicObject (line 95) | class SymbolicObject(SymbolicType,object):
method __init__ (line 96) | def __init__(self, name, expr=None):
method wrap (line 101) | def wrap(conc,sym):
method __bool__ (line 110) | def __bool__(self):
method _do_bin_op (line 117) | def _do_bin_op(self, other, fun, op, wrap):
method __eq__ (line 120) | def __eq__(self, other):
method __ne__ (line 124) | def __ne__(self, other):
method __lt__ (line 127) | def __lt__(self, other):
method __le__ (line 130) | def __le__(self, other):
method __gt__ (line 133) | def __gt__(self, other):
method __ge__ (line 136) | def __ge__(self, other):
FILE: symbolic/z3_expr/bitvector.py
class Z3BitVector (line 4) | class Z3BitVector(Z3Expression):
method __init__ (line 5) | def __init__(self,N):
method _isIntVar (line 9) | def _isIntVar(self,v):
method _variable (line 12) | def _variable(self,name,solver):
method _constant (line 15) | def _constant(self,v,solver):
FILE: symbolic/z3_expr/expression.py
class Z3Expression (line 7) | class Z3Expression(object):
method __init__ (line 8) | def __init__(self):
method toZ3 (line 11) | def toZ3(self,solver,asserts,query):
method predToZ3 (line 16) | def predToZ3(self,pred,solver,env=None):
method getIntVars (line 28) | def getIntVars(self):
method _isIntVar (line 33) | def _isIntVar(self, v):
method _getIntegerVariable (line 36) | def _getIntegerVariable(self,name,solver):
method _variable (line 41) | def _variable(self,name,solver):
method _constant (line 44) | def _constant(self,v,solver):
method _wrapIf (line 47) | def _wrapIf(self,e,solver,env):
method _astToZ3Expr (line 54) | def _astToZ3Expr(self,expr,solver,env=None):
method _add (line 121) | def _add(self, l, r, solver):
method _sub (line 124) | def _sub(self, l, r, solver):
method _mul (line 127) | def _mul(self, l, r, solver):
method _div (line 130) | def _div(self, l, r, solver):
method _mod (line 133) | def _mod(self, l, r, solver):
method _lsh (line 136) | def _lsh(self, l, r, solver):
method _rsh (line 139) | def _rsh(self, l, r, solver):
method _xor (line 142) | def _xor(self, l, r, solver):
method _or (line 145) | def _or(self, l, r, solver):
method _and (line 148) | def _and(self, l, r, solver):
FILE: symbolic/z3_expr/integer.py
class Z3Integer (line 4) | class Z3Integer(Z3Expression):
method _isIntVar (line 5) | def _isIntVar(self,v):
method _variable (line 8) | def _variable(self,name,solver):
method _constant (line 11) | def _constant(self,v,solver):
method _mod (line 14) | def _mod(self, l, r, solver):
method _lsh (line 18) | def _lsh(self, l, r, solver):
method _rsh (line 22) | def _rsh(self, l, r, solver):
method _xor (line 26) | def _xor(self, l, r, solver):
method _or (line 30) | def _or(self, l, r, solver):
method _and (line 34) | def _and(self, l, r, solver):
FILE: symbolic/z3_wrap.py
class Z3Wrapper (line 13) | class Z3Wrapper(object):
method __init__ (line 14) | def __init__(self):
method findCounterexample (line 21) | def findCounterexample(self, asserts, query):
method _coneOfInfluence (line 37) | def _coneOfInfluence(self,asserts,query):
method _findModel (line 52) | def _findModel(self):
method _setAssertsQuery (line 88) | def _setAssertsQuery(self):
method _findModel2 (line 92) | def _findModel2(self):
method _getModel (line 124) | def _getModel(self):
method _boundIntegers (line 135) | def _boundIntegers(self,vars,val):
FILE: test/abs_test.py
function abs_test (line 1) | def abs_test(a,b):
function expected_result (line 8) | def expected_result():
FILE: test/andor.py
function andor (line 1) | def andor(x,y):
function expected_result (line 7) | def expected_result():
FILE: test/arrayindex2.py
function arrayindex2 (line 3) | def arrayindex2(i):
function expected_result (line 10) | def expected_result():
FILE: test/bad_eq.py
function bad_eq (line 1) | def bad_eq(i):
function expected_result (line 6) | def expected_result():
FILE: test/bignum.py
function bignum (line 3) | def bignum(a):
function expected_result (line 10) | def expected_result():
FILE: test/binary_search.py
function binary_search (line 5) | def binary_search(k):
function expected_result (line 18) | def expected_result():
FILE: test/bitwidth.py
function bitwidth (line 1) | def bitwidth(a):
function expected_result (line 7) | def expected_result():
FILE: test/complex.py
function complex (line 1) | def complex(x,y):
function expected_result_set (line 13) | def expected_result_set():
FILE: test/cseppento1.py
function cseppento1 (line 1) | def cseppento1(x,y):
function expected_result (line 21) | def expected_result():
FILE: test/cseppento2.py
function cseppento2 (line 1) | def cseppento2(a,b):
function expected_result (line 9) | def expected_result():
FILE: test/cseppento3.py
function cseppento3 (line 1) | def cseppento3(x):
FILE: test/cvc/effectivebool.py
function effectivebool (line 9) | def effectivebool(string, num):
function expected_result (line 18) | def expected_result():
FILE: test/cvc/emptystr.py
function emptystr (line 5) | def emptystr(s):
function expected_result (line 12) | def expected_result():
FILE: test/cvc/escape.py
function escape (line 5) | def escape(string):
function expected_result_set (line 12) | def expected_result_set():
FILE: test/cvc/none.py
function none (line 5) | def none(c):
function expected_result_set (line 12) | def expected_result_set():
FILE: test/cvc/strcontains.py
function strcontains (line 5) | def strcontains(s):
function expected_result (line 12) | def expected_result():
FILE: test/cvc/strcount.py
function strcount (line 5) | def strcount(s):
function expected_result_set (line 16) | def expected_result_set():
FILE: test/cvc/strfind.py
function strfind (line 5) | def strfind(s):
function expected_result (line 15) | def expected_result():
FILE: test/cvc/strfindbeg.py
function strfindbeg (line 5) | def strfindbeg(s):
function expected_result (line 15) | def expected_result():
FILE: test/cvc/strindex.py
function strindex (line 5) | def strindex(s):
function expected_result (line 16) | def expected_result():
FILE: test/cvc/stringadd.py
function stringadd (line 5) | def stringadd(s):
function expected_result (line 12) | def expected_result():
FILE: test/cvc/stringtest.py
function stringtest (line 5) | def stringtest(s):
function expected_result_set (line 14) | def expected_result_set():
FILE: test/cvc/strmiddle.py
function strmiddle (line 5) | def strmiddle(s):
function expected_result (line 13) | def expected_result():
FILE: test/cvc/strreplace.py
function strreplace (line 5) | def strreplace(s):
function expected_result_set (line 12) | def expected_result_set():
FILE: test/cvc/strslice.py
function strslice (line 5) | def strslice(s):
function expected_result_set (line 11) | def expected_result_set():
FILE: test/cvc/strsplit.py
function strsplit (line 5) | def strsplit(s):
function expected_result_set (line 11) | def expected_result_set():
FILE: test/cvc/strstartswith.py
function strstartswith (line 5) | def strstartswith(s):
function expected_result_set (line 11) | def expected_result_set():
FILE: test/cvc/strstrip.py
function strstrip (line 5) | def strstrip(s):
function expected_result_set (line 11) | def expected_result_set():
FILE: test/cvc/strsubstring.py
function strsubstring (line 5) | def strsubstring(s):
function expected_result (line 18) | def expected_result():
FILE: test/decorator.py
function decorator (line 5) | def decorator(a,b,c):
function expected_result (line 11) | def expected_result():
FILE: test/decorator_dict.py
function decorator_dict (line 4) | def decorator_dict(d):
function expected_result (line 10) | def expected_result():
FILE: test/diamond.py
function diamond (line 1) | def diamond(x,y,z):
function expected_result (line 11) | def expected_result():
FILE: test/dict.py
function dict (line 3) | def dict(x):
function expected_result (line 10) | def expected_result():
FILE: test/dictionary.py
function dictionary (line 7) | def dictionary(in1):
function expected_result (line 16) | def expected_result():
FILE: test/elseif.py
function elseif (line 5) | def elseif(in1):
function expected_result (line 28) | def expected_result():
FILE: test/expand.py
function expand (line 1) | def expand(in1, in2):
function expected_result (line 7) | def expected_result():
FILE: test/expressions.py
function expressions (line 3) | def expressions(in1, in2):
function expected_result (line 15) | def expected_result():
FILE: test/filesys.py
function filesys (line 4) | def filesys(x):
function expected_result_set (line 24) | def expected_result_set():
FILE: test/fp.py
function fp (line 1) | def fp(a):
function expected_result (line 11) | def expected_result():
FILE: test/gcd.py
function rec_gcd (line 1) | def rec_gcd(u,v):
function iter_gcd (line 26) | def iter_gcd(u,v):
function gcd (line 64) | def gcd(x,y):
function expected_result_set (line 75) | def expected_result_set():
FILE: test/hashval.py
function compute (line 3) | def compute(x):
function hashval (line 9) | def hashval(key):
function expected_result (line 16) | def expected_result():
FILE: test/len_test.py
class Foo (line 3) | class Foo():
method __init__ (line 4) | def __init__(self, var):
method __len__ (line 7) | def __len__(self):
function len_test (line 11) | def len_test(a):
function expected_result (line 18) | def expected_result():
FILE: test/lib/bsearch.py
function bsearch (line 2) | def bsearch(a,k):
FILE: test/lib/se_dict.py
class SymbolicDictionary (line 3) | class SymbolicDictionary(dict):
method __init__ (line 4) | def __init__(self, *args, **kwargs):
method has_key (line 8) | def has_key(self, key):
FILE: test/list.py
function list (line 1) | def list(a,b):
function expected_result_set (line 7) | def expected_result_set():
FILE: test/logical_op.py
function logical_op (line 3) | def logical_op(in1, in2):
function expected_result (line 14) | def expected_result():
FILE: test/loop.py
function loop (line 1) | def loop(in1,in2):
function expected_result (line 10) | def expected_result():
FILE: test/many_branches.py
function many_branches (line 5) | def many_branches(in1, in2, in3):
function expected_result (line 31) | def expected_result():
FILE: test/maxtest.py
function max2 (line 4) | def max2(s,t):
function max4 (line 10) | def max4(x,y,x2,y2):
function maxtest (line 13) | def maxtest(a,b,c,d):
function expected_result (line 20) | def expected_result():
FILE: test/mod.py
function mod (line 1) | def mod(x,y):
function expected_result (line 7) | def expected_result():
FILE: test/modulo.py
function modulo (line 1) | def modulo(in1):
function expected_result (line 8) | def expected_result():
FILE: test/modulo2.py
function modulo2 (line 1) | def modulo2(in1):
function expected_result (line 11) | def expected_result():
FILE: test/mult_assmt.py
function mult_assmt (line 2) | def mult_assmt(in1,in2,in3):
function expected_result (line 15) | def expected_result():
FILE: test/polyspace.py
function where_are_the_errors (line 1) | def where_are_the_errors(input):
function polyspace (line 17) | def polyspace(i):
function expected_result (line 21) | def expected_result():
FILE: test/power.py
function power (line 6) | def power(x):
function expected_result (line 12) | def expected_result():
FILE: test/power2.py
function power2 (line 1) | def power2(x):
function expected_result (line 11) | def expected_result():
FILE: test/powtest.py
function powtest (line 1) | def powtest(in1):
function expected_result (line 8) | def expected_result():
FILE: test/reverse.py
function reverse (line 3) | def reverse(x):
function expected_result (line 8) | def expected_result():
FILE: test/set.py
function set (line 3) | def set(x):
function expected_result (line 9) | def expected_result():
FILE: test/shallow_branches.py
function shallow_branches (line 5) | def shallow_branches(in1, in2, in3, in4, in5):
function expected_result (line 23) | def expected_result():
FILE: test/simple.py
function simple (line 1) | def simple(x):
function expected_result (line 7) | def expected_result():
FILE: test/swap.py
function swap (line 1) | def swap(in1,in2):
function expected_result (line 16) | def expected_result():
FILE: test/tuplecmp.py
function tuplelt (line 1) | def tuplelt(a, b):
function tuplecmp (line 11) | def tuplecmp(a0, a1, b0, b1):
function expected_result (line 14) | def expected_result():
FILE: test/unnecessary_condition.py
function unnecessary_condition (line 1) | def unnecessary_condition(in1,in2):
function expected_result (line 10) | def expected_result():
FILE: test/unnecessary_condition2.py
function unnecessary_condition2 (line 1) | def unnecessary_condition2(in1,in2):
function expected_result (line 11) | def expected_result():
FILE: test/unnecessary_condition3.py
function unnecessary_condition3 (line 1) | def unnecessary_condition3(in1):
function op (line 8) | def op(in1):
function expected_result (line 20) | def expected_result():
FILE: test/unnecessary_condition4.py
function unnecessary_condition4 (line 1) | def unnecessary_condition4(in1):
function op (line 10) | def op(in1):
function expected_result (line 22) | def expected_result():
FILE: test/weird.py
function weird (line 1) | def weird(x,y):
function expected_result (line 7) | def expected_result():
FILE: test/whileloop.py
function whileloop (line 1) | def whileloop(x):
FILE: tools/symbolic_int_subtype.py
function symbolic_int_subtype (line 25) | def symbolic_int_subtype(func_index, a, b, c):
FILE: utils.py
function traceback (line 6) | def traceback():
function crash (line 11) | def crash(msg):
Condensed preview — 140 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,310K chars).
[
{
"path": ".gitattributes",
"chars": 483,
"preview": "# Auto detect text files and perform LF normalization\n* text=auto\n\n# Custom for Visual Studio\n*.cs diff=csharp\n*.sln"
},
{
"path": ".gitignore",
"chars": 2838,
"preview": "#################\n## Eclipse\n#################\n\n*.pydevproject\n.project\n.metadata\nbin/\ntmp/\n*.tmp\n*.bak\n*.swp\n*~.nib\nloc"
},
{
"path": "README.md",
"chars": 7836,
"preview": "PyExZ3\n======\n\n### Python Exploration with Z3\n\nThis code is a substantial rewrite of the NICE project's\n(http://code.goo"
},
{
"path": "TODO.md",
"chars": 601,
"preview": "TODO List\n=========\n\n- add basic support for SymbolicDictionary\n - \n- need to capture exceptions thrown by code under t"
},
{
"path": "Vagrantfile",
"chars": 365,
"preview": "# -*- mode: ruby -*-\n# vi: set ft=ruby :\n\nVAGRANTFILE_API_VERSION = \"2\"\n\nVagrant.configure(VAGRANTFILE_API_VERSION) do |"
},
{
"path": "copyright.txt",
"chars": 1792,
"preview": "# Files that mention copyright.txt were derived from the NICE project\n#\n# Copyright (c) 2011, EPFL (Ecole Politechnique "
},
{
"path": "fail/arrayindex.py",
"chars": 492,
"preview": "A = [0, 1]\n\n# the index operation A[i] uses the underlying runtime representation\n# of the Python int, so we have no way"
},
{
"path": "fail/dictbool.py",
"chars": 168,
"preview": "from symbolic.args import *\n\n@symbolic(d={})\ndef dictbool(d):\n x = d or {}\n if x == {}:\n return 0\n retur"
},
{
"path": "fail/divzero.py",
"chars": 333,
"preview": "# this one fails because we always start with zero for SymbolicIntegers\n# we should have a few seed values to avoid this"
},
{
"path": "fail/git.py",
"chars": 1670,
"preview": "from symbolic.args import *\n\n@symbolic(a=0xdeaddeaddeaddead,b=0xbeefbeefbeefbeef)\ndef git(a,b):\n i=0;\n passkeyn=[a"
},
{
"path": "fail/pow.py",
"chars": 336,
"preview": "# this one fails because we treat the operator ** concretely rather than symbolically\n# so that the concrete value 0**2 "
},
{
"path": "fail/sqrttest.py",
"chars": 229,
"preview": "from math import sqrt\n\n# sqrt is handled concretely, just as with pow (**)\n\ndef sqrttest(in1):\n if sqrt(in1) == 0:\n "
},
{
"path": "marktoberdorf_paper/DSE/DSE.mdk",
"chars": 42866,
"preview": "Title : Deconstructing Dynamic Symbolic Execution\nAuthor : Thomas Ball, Jakub Daniel\nAffiliation : Microsoft "
},
{
"path": "marktoberdorf_paper/DSE/IOS-Book-Article.cls",
"chars": 36544,
"preview": "%% This is file `IOSarticle.cls'\n%%\n%% Generic LaTeX 2e class file for the IOS Press publications\n%%\n%% Macros written b"
},
{
"path": "marktoberdorf_paper/DSE/cpp2.json",
"chars": 104,
"preview": "{ \"name\": \"cpp2\", \n \"extend\": \"cpp\", \n \"extraKeywords\": [\"function\",\"override\",\"var\",\"instanceof\"]\n}"
},
{
"path": "marktoberdorf_paper/DSE/dse.bib",
"chars": 4558,
"preview": "@article{King76,\n author = {James C. King},\n title = {Symbolic Execution and Program Testing},\n journal = {Communicat"
},
{
"path": "marktoberdorf_paper/DSE/ignores.dic",
"chars": 0,
"preview": ""
},
{
"path": "marktoberdorf_paper/DSE/out/DSE.tex",
"chars": 172826,
"preview": "\\documentclass{IOS-Book-Article}\n% generated by Madoko, version 0.9.3-beta\n%mdk-data-line={1}\n\n\\usepackage[heading-base="
},
{
"path": "marktoberdorf_paper/DSE.html",
"chars": 632035,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n <meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\" />\n <meta name=\"gene"
},
{
"path": "marktoberdorf_paper/forPublisher/IOS-Book-Article.cls",
"chars": 36544,
"preview": "%% This is file `IOSarticle.cls'\n%%\n%% Generic LaTeX 2e class file for the IOS Press publications\n%%\n%% Macros written b"
},
{
"path": "marktoberdorf_paper/forPublisher/css.sty",
"chars": 28730,
"preview": "%---------------------------------------------------------------------------\n% Copyright 2013 Microsoft Corporation.\n% "
},
{
"path": "marktoberdorf_paper/forPublisher/dse.tex",
"chars": 172596,
"preview": "\\documentclass{IOS-Book-Article}\n% generated by Madoko, version 0.9.3-beta\n%mdk-data-line={1}\n\n\n\\usepackage[heading-bas"
},
{
"path": "marktoberdorf_paper/forPublisher/madoko.sty",
"chars": 32022,
"preview": "%---------------------------------------------------------------------------\n% Copyright 2013 Microsoft Corporation.\n% "
},
{
"path": "marktoberdorf_slides/collatz.py",
"chars": 243,
"preview": "def collatz(n):\n if n <= 1:\n return 1\n else:\n if n % 2 == 0:\n return collatz(n // 2)\n "
},
{
"path": "marktoberdorf_slides/examples/adder.py",
"chars": 288,
"preview": "from z3 import *\n\ndef add1(x0,y0,c0):\n\treturn (simplify(Xor(Xor(x0,y0),c0)), \n simplify(Or(And(x0,y0),And"
},
{
"path": "marktoberdorf_slides/examples/automata.py",
"chars": 1856,
"preview": "from z3 import *\n\nChar = BitVecSort(8)\nList = Datatype('List')\nList.declare('cons', ('head', Char), ('tail', List))\nList"
},
{
"path": "marktoberdorf_slides/examples/check_adder.py",
"chars": 745,
"preview": "from adder import *\n\nN = 128\n\n# now prove that adder is equal to bitvector add \n\nxN = BoolVector(\"x\",N)\nyN = BoolVector("
},
{
"path": "marktoberdorf_slides/examples/check_mult.py",
"chars": 663,
"preview": "from mult import *\n\n# now prove that adder is equal to bitvector add \n\nN = 16\n\nxN = BoolVector(\"x\",N)\nyN = BoolVector(\"y"
},
{
"path": "marktoberdorf_slides/examples/first.py",
"chars": 208,
"preview": "from z3 import *\n\nx = BitVec(\"x\",8)\ny = BitVec(\"y\",8)\nz = BitVec(\"z\",8)\n\ns = Solver()\ns.add(x > 0,y > 0,z==x+y)\ns.add(No"
},
{
"path": "marktoberdorf_slides/examples/hats.py",
"chars": 765,
"preview": "from z3 import *\n\nN = 7\n\n# set up the bit vectors for the hats and what each person will guess\nhat = [ BitVec(\"Hat\"+s"
},
{
"path": "marktoberdorf_slides/examples/mult.py",
"chars": 547,
"preview": "from adder import *\n\n# x2 x1 x0\n# y2 y1 y0\n \n# And(x2,y0) And(x1,y0) And(x0,y0)\n# And(x1,y1) And(x0,y1) False\n# An"
},
{
"path": "marktoberdorf_slides/examples/mult2.py",
"chars": 874,
"preview": "from z3 import *\n\nN = 13\nzerosN = [BoolVal(False)] * N\n\ndef multcell(a,b,c,s):\n\t# I have to admit it is based on http://"
},
{
"path": "pyexz3.py",
"chars": 2099,
"preview": "# Copyright: see copyright.txt\n\nimport os\nimport sys\nimport logging\nimport traceback\nfrom optparse import OptionParser\n\n"
},
{
"path": "run_tests.py",
"chars": 1641,
"preview": "import os\nimport re\nimport sys\nimport subprocess\nfrom optparse import OptionParser\nfrom sys import platform as _platform"
},
{
"path": "setup.bat",
"chars": 198,
"preview": "set Z3HOME=c:\\z3\\bin\nset PYTHONHOME=c:\\Python34\nset GRAPHVIZHOME=\"c:\\Program Files (x86)\\Graphviz2.38\\bin\"\nset PATH=%PAT"
},
{
"path": "setup.sh",
"chars": 420,
"preview": "#!/bin/bash\n\n# Homebrew default locations (both for python and z3)\nexport PYTHONMODS=\"usr/local/lib/python2.7/site-packa"
},
{
"path": "symbolic/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "symbolic/args.py",
"chars": 211,
"preview": "def symbolic(**arg_types):\n\tdef decorator(f):\n\t\tf.symbolic_args = arg_types\n\t\treturn f\n\treturn decorator\n\ndef concrete(*"
},
{
"path": "symbolic/constraint.py",
"chars": 1612,
"preview": "# Copyright: see copyright.txt\n\nimport logging\n\nlog = logging.getLogger(\"se.constraint\")\n\nclass Constraint:\n\tcnt = 0\n\t\"\""
},
{
"path": "symbolic/cvc_expr/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "symbolic/cvc_expr/exprbuilder.py",
"chars": 5651,
"preview": "import logging\n\nfrom symbolic.cvc_expr.integer import CVCInteger\nfrom symbolic.cvc_expr.string import CVCString\nfrom sym"
},
{
"path": "symbolic/cvc_expr/expression.py",
"chars": 2164,
"preview": "import logging\n\nimport CVC4\n\n\nlog = logging.getLogger(\"se.cvc_expr.expr\")\n\n\nclass CVCExpression(object):\n CVC_TYPE = "
},
{
"path": "symbolic/cvc_expr/integer.py",
"chars": 4573,
"preview": "import logging\n\nimport CVC4\nfrom CVC4 import Rational, Integer\n\nfrom .expression import CVCExpression\n\nlog = logging.get"
},
{
"path": "symbolic/cvc_expr/string.py",
"chars": 3280,
"preview": "import logging\n\nimport CVC4\n\nfrom .expression import CVCExpression\nfrom .integer import CVCInteger\n\nlog = logging.getLog"
},
{
"path": "symbolic/cvc_wrap.py",
"chars": 3041,
"preview": "import logging\n\nimport utils\n\nimport CVC4\nfrom CVC4 import ExprManager, SmtEngine, SExpr\n\nfrom symbolic.cvc_expr.exprbui"
},
{
"path": "symbolic/explore.py",
"chars": 3439,
"preview": "# Copyright: see copyright.txt\n\nfrom collections import deque\nimport logging\nimport os\n\nfrom .z3_wrap import Z3Wrapper\nf"
},
{
"path": "symbolic/invocation.py",
"chars": 621,
"preview": "# Copyright: see copyright.txt\n\nclass FunctionInvocation:\n\tdef __init__(self, function, reset):\n\t\tself.function = functi"
},
{
"path": "symbolic/loader.py",
"chars": 4390,
"preview": "# Copyright: copyright.txt\n\nimport inspect\nimport re\nimport os\nimport sys\nfrom .invocation import FunctionInvocation\nfro"
},
{
"path": "symbolic/path_to_constraint.py",
"chars": 2610,
"preview": "# Copyright: see copyright.txt\n\nimport logging\n\nfrom .predicate import Predicate\nfrom .constraint import Constraint\n\nlog"
},
{
"path": "symbolic/predicate.py",
"chars": 747,
"preview": "# Copyright - see copyright.txt\n\nclass Predicate:\n\t\"\"\"Predicate is one specific ``if'' encountered during the program ex"
},
{
"path": "symbolic/symbolic_types/__init__.py",
"chars": 601,
"preview": "# Copyright: see copyright.txt\n\nfrom .symbolic_int import SymbolicInteger as SymInt\nfrom .symbolic_int import SymbolicOb"
},
{
"path": "symbolic/symbolic_types/symbolic_dict.py",
"chars": 1459,
"preview": "import ast\nimport sys\nfrom . symbolic_type import SymbolicObject\n\n# SymbolicDict: the key and values will both be Symbol"
},
{
"path": "symbolic/symbolic_types/symbolic_int.py",
"chars": 1579,
"preview": "# Copyright: copyright.txt\n\nfrom . symbolic_type import SymbolicObject\n\n# we use multiple inheritance to achieve concret"
},
{
"path": "symbolic/symbolic_types/symbolic_str.py",
"chars": 4977,
"preview": "from . symbolic_type import SymbolicObject\nfrom symbolic.symbolic_types.symbolic_int import SymbolicInteger\nfrom string "
},
{
"path": "symbolic/symbolic_types/symbolic_type.py",
"chars": 4049,
"preview": "# Copyright: see copyright.txt\n\nimport utils\nimport inspect\nimport functools\n\n# the ABSTRACT base class for representing"
},
{
"path": "symbolic/z3_expr/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "symbolic/z3_expr/bitvector.py",
"chars": 359,
"preview": "from z3 import *\nfrom .expression import Z3Expression\n\nclass Z3BitVector(Z3Expression):\n\tdef __init__(self,N):\n\t\tZ3Expre"
},
{
"path": "symbolic/z3_expr/expression.py",
"chars": 3831,
"preview": "import utils\n\nfrom symbolic.symbolic_types.symbolic_int import SymbolicInteger\nfrom symbolic.symbolic_types.symbolic_typ"
},
{
"path": "symbolic/z3_expr/integer.py",
"chars": 983,
"preview": "from z3 import *\nfrom .expression import Z3Expression\n\nclass Z3Integer(Z3Expression):\n\tdef _isIntVar(self,v):\n\t\treturn i"
},
{
"path": "symbolic/z3_wrap.py",
"chars": 3722,
"preview": "# Copyright: see copyright.txt\n\nimport sys\nimport ast\nimport logging\n\nfrom z3 import *\nfrom .z3_expr.integer import Z3In"
},
{
"path": "test/abs_test.py",
"chars": 126,
"preview": "def abs_test(a,b):\n\tif (a < 0):\n\t\tif (abs(a) == b):\n\t\t\treturn 0\n\t\treturn 1\n\treturn 2\n\ndef expected_result():\n\treturn [0,"
},
{
"path": "test/andor.py",
"chars": 98,
"preview": "def andor(x,y):\n\tif(x or y):\n\t\treturn 1\n\telse:\n\t\treturn 2\n\ndef expected_result():\n\treturn [1,1,2]\n"
},
{
"path": "test/arrayindex2.py",
"chars": 184,
"preview": "A = [0, 1, 0, 0, 1, 0, 1]\n\ndef arrayindex2(i):\n\n if i in [ j for j in range(len(A)) if A[j] ]:\n return i\n else:\n ret"
},
{
"path": "test/bad_eq.py",
"chars": 88,
"preview": "def bad_eq(i):\n\tif (0 == i):\n\t\treturn 0\n\treturn 1\n\ndef expected_result():\n\treturn [0,1]\n"
},
{
"path": "test/bignum.py",
"chars": 189,
"preview": "import sys\n\ndef bignum(a):\n if a == sys.maxsize:\n return \"bv\"\n if a == sys.maxsize+1:\n return \"bignum\"\n return "
},
{
"path": "test/binary_search.py",
"chars": 372,
"preview": "from lib.bsearch import *\n\narray = [ 0, 4, 6, 95, 430, 4944, 119101 ]\n\ndef binary_search(k):\n\ti = bsearch(array,k)\n\tif(i"
},
{
"path": "test/bitwidth.py",
"chars": 99,
"preview": "def bitwidth(a):\n\tif (a + 1 < a):\n\t\treturn 0\n\telse:\n\t\treturn 1\n\ndef expected_result():\n\treturn [1]\n"
},
{
"path": "test/complex.py",
"chars": 252,
"preview": "def complex(x,y):\n if (y >= 1<<32):\n h = hash(y)\n print(\"hash(\",y,\") =\",h)\n if (x == h):\n if (y == (1<<32"
},
{
"path": "test/cseppento1.py",
"chars": 697,
"preview": "def cseppento1(x,y):\n # based on B2a_IfElse by Lajos Cseppento\n # see: L. Cseppento: Comparison of Symbolic Execut"
},
{
"path": "test/cseppento2.py",
"chars": 411,
"preview": "def cseppento2(a,b):\n # based on B2c_NonLinear by Lajos Cseppento\n # see: L. Cseppento: Comparison of Symbolic Exe"
},
{
"path": "test/cseppento3.py",
"chars": 524,
"preview": "def cseppento3(x):\n # based on B3c_DoWhile by Lajos Cseppento\n # see: L. Cseppento: Comparison of Symbolic Executi"
},
{
"path": "test/cvc/effectivebool.py",
"chars": 488,
"preview": "\"\"\"Tests strings and integers used as a branch condition. The\ninterpreter calls the bool constructor with the contents o"
},
{
"path": "test/cvc/emptystr.py",
"chars": 176,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef emptystr(s):\n if s != '':\n return 0\n else:\n "
},
{
"path": "test/cvc/escape.py",
"chars": 235,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(string=\"foo\")\ndef escape(string):\n if string and '\\\\' not in string an"
},
{
"path": "test/cvc/none.py",
"chars": 173,
"preview": "from symbolic.args import *\n\n\n@symbolic(c=3)\ndef none(c):\n if c == None:\n return 1\n elif c != None:\n "
},
{
"path": "test/cvc/strcontains.py",
"chars": 182,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strcontains(s):\n if \"bar\" in s:\n return 0\n else"
},
{
"path": "test/cvc/strcount.py",
"chars": 286,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strcount(s):\n if s.count(\"x\") == 2:\n return 1\n "
},
{
"path": "test/cvc/strfind.py",
"chars": 255,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strfind(s):\n find_idx = s.find(\"bar\")\n if find_idx == "
},
{
"path": "test/cvc/strfindbeg.py",
"chars": 261,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strfindbeg(s):\n find_idx = s.find(\"bar\", 1)\n if find_i"
},
{
"path": "test/cvc/strindex.py",
"chars": 429,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foobar\")\ndef strindex(s):\n \"\"\"Test case does not currently test neg"
},
{
"path": "test/cvc/stringadd.py",
"chars": 186,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef stringadd(s):\n x = s + \"bar\"\n if x == \"nobar\":\n "
},
{
"path": "test/cvc/stringtest.py",
"chars": 229,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef stringtest(s):\n if (s == \"bar\"):\n return 0\n eli"
},
{
"path": "test/cvc/strmiddle.py",
"chars": 194,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"x\")\ndef strmiddle(s):\n x = \"A\"+s+\"C\"\n if \"B\" in x:\n retur"
},
{
"path": "test/cvc/strreplace.py",
"chars": 203,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"bar\")\ndef strreplace(s):\n if \"faa\" == s.replace(\"o\", \"a\"):\n "
},
{
"path": "test/cvc/strslice.py",
"chars": 191,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strslice(s):\n if '\\\\' not in s and s[0:2] == \"//\":\n "
},
{
"path": "test/cvc/strsplit.py",
"chars": 185,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strsplit(s):\n if ['a', 'b'] == s.split(\"&\"):\n retu"
},
{
"path": "test/cvc/strstartswith.py",
"chars": 183,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strstartswith(s):\n if s.startswith('abc'):\n return"
},
{
"path": "test/cvc/strstrip.py",
"chars": 190,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strstrip(s):\n if \" \" in s and \"abc\" == s.strip():\n "
},
{
"path": "test/cvc/strsubstring.py",
"chars": 374,
"preview": "from symbolic.args import symbolic\n\n\n@symbolic(s=\"foo\")\ndef strsubstring(s):\n \"\"\"Test case for Python slicing, negati"
},
{
"path": "test/decorator.py",
"chars": 167,
"preview": "from symbolic.args import *\n\n@concrete(a=1,b=2)\n@symbolic(c=3)\ndef decorator(a,b,c):\n\tif a+b+c == 6:\n\t\treturn 0\n\telse:\n\t"
},
{
"path": "test/decorator_dict.py",
"chars": 160,
"preview": "from symbolic.args import *\n\n@symbolic(d=dict([(42,6)]))\ndef decorator_dict(d):\n\tif d[42] == 6:\n\t\treturn 0\n\telse:\n\t\tretu"
},
{
"path": "test/diamond.py",
"chars": 173,
"preview": "def diamond(x,y,z):\n\tret = 0\n\tif (x):\n\t\tret = ret + 1\n\tif (y):\n\t\tret = ret + 1\n\tif (z):\n\t\tret = ret + 1\n\treturn ret\n\ndef"
},
{
"path": "test/dict.py",
"chars": 212,
"preview": "D = dict({ (101,2), (1,3), (4,9) })\n\ndef dict(x):\n # if x in D.keys():\n if x in [ j for j in D.keys() ]:\n r"
},
{
"path": "test/dictionary.py",
"chars": 284,
"preview": "# Copyright: see copyright.txt\n\n# Test if engine explores all paths\n\nfrom lib.se_dict import SymbolicDictionary\n\ndef dic"
},
{
"path": "test/elseif.py",
"chars": 512,
"preview": "# Copyright: see copyright.txt\n\n# Test if engine explores all paths\n\ndef elseif(in1):\n if in1 == 0:\n return 0"
},
{
"path": "test/expand.py",
"chars": 136,
"preview": "def expand(in1, in2):\n if (in1 + in2 >= 1 << 32): \n return 0\n else:\n return 1\n\ndef expected_result()"
},
{
"path": "test/expressions.py",
"chars": 341,
"preview": "# Copyright: see copyright.txt\n\ndef expressions(in1, in2):\n a = in1\n b = in2 + 47\n c = a * b\n # only solutio"
},
{
"path": "test/filesys.py",
"chars": 381,
"preview": "import os\nimport sys\n\ndef filesys(x):\n\t# if file doesn't exist, create it and \n\tg = 1\n\tif (os.path.exists(\"tmp.txt\")):\n\t"
},
{
"path": "test/fp.py",
"chars": 227,
"preview": "def fp(a):\n\tif a % 2 == 0:\n\t\t# The next condition basically checks whether a is zero (in a weird way, though).\n\t\tif a =="
},
{
"path": "test/gcd.py",
"chars": 1670,
"preview": "def rec_gcd(u,v):\n if (u == v):\n return u\n\n if (u == 0):\n return v\n\n if (v == 0):\n return u\n \n if not (u & "
},
{
"path": "test/hashval.py",
"chars": 245,
"preview": "# Created by Thomas Ball (2014)\n\ndef compute(x):\n\tres = x\n\tres = res + (res << 10)\n\tres = res ^ (res >> 6)\n\treturn res\n\t"
},
{
"path": "test/len_test.py",
"chars": 297,
"preview": "from symbolic.args import *\n\nclass Foo():\n def __init__(self, var):\n self.var = var\n\n def __len__(self):\n "
},
{
"path": "test/lib/__init__.py",
"chars": 15,
"preview": "# hello there1\n"
},
{
"path": "test/lib/bsearch.py",
"chars": 182,
"preview": "\ndef bsearch(a,k):\n\tlo, hi = 0, len(a)-1\n\twhile(lo <= hi):\n\t\tmid = (lo+hi) >> 1\n\t\tif (a[mid] == k):\n\t\t\treturn mid\n\t\telif"
},
{
"path": "test/lib/se_dict.py",
"chars": 253,
"preview": "# Copyright: see copyright.txt\n\nclass SymbolicDictionary(dict):\n\tdef __init__(self, *args, **kwargs):\n\t\tdict.__init__(se"
},
{
"path": "test/list.py",
"chars": 121,
"preview": "def list(a,b):\n if ([a,b] == [1,2]):\n return 1\n else:\n return 2\n\ndef expected_result_set():\n return [1,2"
},
{
"path": "test/logical_op.py",
"chars": 246,
"preview": "# Copyright: see copyright.txt\n\ndef logical_op(in1, in2):\n if (in1 & in2) == 1:\n if (in1 & in2) == 7:\n "
},
{
"path": "test/loop.py",
"chars": 198,
"preview": "def loop(in1,in2):\n if in1 > in2:\n i = 0\n while i < in1 and False:\n i = i+1\n return 1"
},
{
"path": "test/many_branches.py",
"chars": 643,
"preview": "# Copyright: see copyright.txt\n\n# Test if engine explores all paths\n\ndef many_branches(in1, in2, in3):\n if in1 == 0:\n"
},
{
"path": "test/maxtest.py",
"chars": 328,
"preview": "# Created by Thomas Ball (2014)\n#\n\ndef max2(s,t):\n\tif (s < t):\n\t\treturn t\n\telse:\n\t\treturn s\n\ndef max4(x,y,x2,y2):\n\tretur"
},
{
"path": "test/mod.py",
"chars": 121,
"preview": "def mod(x,y):\n\tif 0 < y < 10 and x % (y+1) == 3:\n\t\treturn 0\n\telse:\n\t\treturn 1\n\ndef expected_result():\n\treturn [0,1,1,1]\n"
},
{
"path": "test/modulo.py",
"chars": 154,
"preview": "def modulo(in1):\n if in1 % 3 != 0:\n return 1\n elif in1 % 5 != 0:\n return 2\n return 0\n \ndef exp"
},
{
"path": "test/modulo2.py",
"chars": 196,
"preview": "def modulo2(in1):\n if (in1 <= 0):\n return -1\n\n if in1 % 3 != 0:\n return 1\n elif in1 % 5 != 0:\n "
},
{
"path": "test/mult_assmt.py",
"chars": 247,
"preview": "\ndef mult_assmt(in1,in2,in3):\n v = in1\n if v == in2:\n if in3 > 0:\n v = v + 1\n \n if"
},
{
"path": "test/polyspace.py",
"chars": 350,
"preview": "def where_are_the_errors(input):\n\tk = input // 100\n\tx = 2\n\ty = k + 5\n\twhile x < 10:\n\t\tx = x + 1\n\t\ty = y + 3\n\tif (3*k + 1"
},
{
"path": "test/power.py",
"chars": 312,
"preview": "# currently, we don't handle the power operator symbolically,\n# so this test is not expected to cover the else branch. T"
},
{
"path": "test/power2.py",
"chars": 211,
"preview": "def power2(x):\n\tb = x * x;\n\tif b > 0:\n\t\treturn 0\n\telif b == 0:\n\t\treturn 1\n\telse:\n\t\t# This path is not possible if it is "
},
{
"path": "test/powtest.py",
"chars": 148,
"preview": "def powtest(in1):\n if in1*in1 == 0:\n return 1\n elif in1*in1 > 0:\n return 2\n return 0\n\ndef expecte"
},
{
"path": "test/reverse.py",
"chars": 143,
"preview": "# check that sub and rsub are modelled properly\n\ndef reverse(x):\n\tif (x - 5 == 0):\n\t\treturn 0\n\treturn 1\n\ndef expected_re"
},
{
"path": "test/set.py",
"chars": 177,
"preview": "S = { 1, 3, 9, 12, 15, 19 }\n\ndef set(x):\n if x in [ j for j in S]:\n return x\n else:\n return \"NONE\"\n\nd"
},
{
"path": "test/shallow_branches.py",
"chars": 359,
"preview": "# Copyright: see copyright.txt\n\n# Test if engine explores all paths\n\ndef shallow_branches(in1, in2, in3, in4, in5):\n "
},
{
"path": "test/simple.py",
"chars": 103,
"preview": "def simple(x):\n\tif (x+1 > 10):\n\t\treturn 42\n\telse:\n\t\treturn 43\n\ndef expected_result():\n\treturn [ 42, 43]"
},
{
"path": "test/swap.py",
"chars": 326,
"preview": "def swap(in1,in2):\n if in1 > in2:\n # swap in1 and in2\n in1 = in1 ^ in2;\n in2 = in1 ^ in2;\n "
},
{
"path": "test/tmp",
"chars": 0,
"preview": ""
},
{
"path": "test/tuplecmp.py",
"chars": 244,
"preview": "def tuplelt(a, b):\n a0, a1 = a\n b0, b1 = b\n\n if a0 < b0:\n return True\n elif a1 < b1:\n return True\n return Fal"
},
{
"path": "test/unnecessary_condition.py",
"chars": 221,
"preview": "def unnecessary_condition(in1,in2):\n if in1 > in2:\n unnec = in1 < in2 and False\n if unnec:\n "
},
{
"path": "test/unnecessary_condition2.py",
"chars": 337,
"preview": "def unnecessary_condition2(in1,in2):\n if in1 > in2:\n # unnec always false\n unnec = in1 < 5 and False # "
},
{
"path": "test/unnecessary_condition3.py",
"chars": 371,
"preview": "def unnecessary_condition3(in1):\n if in1 > 0:\n # in1 > 0\n return op(in1) + 10\n else:\n return "
},
{
"path": "test/unnecessary_condition4.py",
"chars": 376,
"preview": "def unnecessary_condition4(in1):\n v = op(in1)\n\n if in1 > 0:\n # in1 > 0\n return v + 10\n else:\n "
},
{
"path": "test/weird.py",
"chars": 142,
"preview": "def weird(x,y):\n\tif (x < y) + x == 1:\n\t\treturn 0\n\telse:\n\t\treturn 1\n\ndef expected_result():\n\treturn [0,1]\n\n#print weird(0"
},
{
"path": "test/whileloop.py",
"chars": 69,
"preview": "def whileloop(x):\n\ty = 1\n\twhile (0 <= x < 10 and y<=x):\n\t\ty = y + 1\n\n"
},
{
"path": "tools/symbolic_int_subtype.py",
"chars": 2122,
"preview": "# Check if SymbolicInteger is a subtype of `int' modulo concolic execution.\n#\n# To run:\n# $ python sym_exec.py examples/"
},
{
"path": "utils.py",
"chars": 224,
"preview": "# Copyright: see copyright.txt\n\nimport sys\nimport traceback\n\ndef traceback():\n\tstack = traceback.format_stack()\n\trest = "
},
{
"path": "vagrant.sh",
"chars": 1676,
"preview": "# Configuration\nINSTALLDIR=/home/vagrant/pyex\n\n# System Maintenance \napt-get update\napt-get -y upgrade\n\n# Dependencies\na"
}
]
// ... and 6 more files (download for full content)
About this extraction
This page contains the full source code of the thomasjball/PyExZ3 GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 140 files (1.2 MB), approximately 558.0k tokens, and a symbol index with 401 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.